China's cyber espionage group targets U.S. companies in a new campaign
WIP19, a previously unknown Chinese-speaking threat organization, is targeting telecommunications and IT service companies in the Middle East and Asia.
To avoid detection, the espionage-related assaults employ a stolen digital certificate provided by a Korean business named DEEPSoft to certify malicious objects released through the infection chain.
"Almost all of the threat actor's actions were done in a 'hands-on keyboard' approach, during an interactive session with compromised devices," SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a paper this week.
"This meant that the attacker sacrificed a solid [command-and-control] channel for stealth."
SentinelOne's WIP, or work-in-progress, classification is comparable to Mandiant, Microsoft, and Recorded Future's UNC####, DEV-####, and TAG-## designations for emergent or previously unattributed activity clusters.
The cybersecurity company also stated that WinEggDrop, a Chinese-speaking malware creator who has been active since 2014, wrote elements of the dangerous components used by WIP19.
Due to commonalities in the usage of WinEggDrop-authored malware, stolen certificates, and tactical overlaps, WIP19 is alleged to have connections to another organization called Operation Shadow Force.
However, SentinelOne cautioned that "it is unclear if this is a fresh version of operation 'Shadow Force,' or just a different actor using identical TTPs."
The hostile collective's intrusions depend on a custom toolkit that includes a credential dumper, network scanner, browser stealer, keyboard logger, and screen recorder (ScreenCap), as well as SQLMaggie, an implant.
SQLMaggie was also the subject of an in-depth examination earlier this month by German cybersecurity firm DCSO CyTec, which highlighted its capacity to break into Microsoft SQL servers and utilize the access to conduct arbitrary instructions through SQL queries.
An examination of telemetry data indicated the existence of SQLMaggie on 285 servers in 42 countries, namely South Korea, India, Vietnam, China, Taiwan, Russia, Thailand, Germany, Iran, and the United States.
The fact that the assaults are precision focused and limited in scale, not to mention that they have targeted the telecom industry, suggests that the major goal of the operation may be intelligence gathering.
The results show how China-aligned hacking organizations are both wide and flexible, due to the reuse of a range of malware families by many threat actors.
"WIP19 exemplifies the broader scope of Chinese espionage operations seen in key infrastructure sectors," SentineOne analysts added.
"The presence of trustworthy quartermasters and common developers allows a landscape of difficult-to-identify threat groups that use similar technology, making threat clusters difficult to differentiate from the perspective of defenders."