Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19.
The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artefacts deployed during the infection chain to evade detection.
“Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion, during an interactive session with compromised machines,” SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a report this week.
“This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth.”
WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters, similar to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Recorded Future.
The cybersecurity firm also noted that select portions of the malicious components employed by WIP19 were authored by a Chinese-speaking malware author dubbed WinEggDrop, who has been active since 2014.
images from Hacker News