A newly-identified Chinese-speaking threat cluster known as WIP19 has been identified targeting telecommunications and IT service providers in the Middle East and Asia. Likely partaking in espionage-related activity, the threat cluster overlaps with Operation Shadow Force but utilizes new malware and techniques. WIP19 uses a legitimate, stolen certificate to sign novel malware, including SQLMaggie, ScreenCap, and a credential dumper.
According to SentinelLabs, the agency tracking and monitoring the WIP19 threat cluster, the threat actor abused the certificate to sign several malicious components. SentinelLabs reported that almost all operations performed by the threat actor were completed in a “hands-on keyboard” fashion during an interactive session with compromised machines, meaning the attacker gave up on a stable C2 channel in exchange for stealth.
In an analysis of the backdoors utilized, in conjunction with pivoting on the certificate, experts concluded that portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014. The WinEggDrop-authored malware, stolen certificates, and correlating TTPs may indicate links to Operation Shadow Force, as reported by TrendMicro and AhnLab. Because the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of Operation Shadow Force or a different actor utilizing similar TTPs. The activity SintenelLabs observed, however, represents a more mature actor using new malware and techniques.
SentinelLabs reported, “We linked an implant dubbed ‘SQLMaggie,’ recently described by DCSO CyTec, to this set of activity. SQLMaggie appears to be actively maintained and provides insights into the development timeline with hardcoded version names. In addition, we identified several other pieces of malware utilized by this threat actor.”
Cybersecurity Through Integrated Technology
With the latest threat from WIP19, it’s critical for managed service providers like Integrated Technology to reiterate the importance of evolving, scalable cybersecurity solutions that keep our partners protected from threats like this.
Malicious actors search for every vulnerability in your organization’s defenses in their attempts to access your most valuable data. Hackers target businesses of all sizes across a range of different industries, and it’s the companies that are the least prepared for cyberattacks that suffer the most devastating losses. Employing more sophisticated strategies at higher frequencies than ever, these cybersecurity threats pose an obvious danger to your organization, employees, and customers.
Your enterprise cybersecurity solutions dictate how well your business is protected. Integrated Technology’s cybersecurity solutions cover every base, address every vulnerability, and safeguard every path to your data. Shifting your organization’s cybersecurity operations to Integrated Technology’s team of dedicated professionals elevates your network security while lowering IT costs and alleviating the workload on your staff. Our security, privacy, and compliance solutions integrate seamlessly into your business operations.
Partner With Us
Integrated Technology is a leading managed services provider that equips organizations like yours with a reliable and secure IT foundation, so you can leverage the advanced technology that propels your business forward. Managed IT from Integrated Technology drives IT maturity through our best practices, proactive planning, and fast, reactive support.
