HQ/EMEAFind out how we can help your business
A newly discovered advanced persistent threat group called WIP19 APT targets telecom companies and IT services providers with signed malware. Based on reports, the group has targeted organisations based in Asia and the Middle East.
Moreover, this APT group has been utilising previously stolen certificates to sign malicious content for their attacks. WIP19 has used numerous malware strains such as ScreenCap, SQLMaggie backdoor, and a credential dumper in its campaigns against targeted companies.
Researchers claimed that the APT group depends on DLL search order hijacking for running a screen recorder and a keylogger. The keylogger prioritises attacking the target’s web browser to harvest information, saved credentials, and other essential details.
The WIP19 APT heavily exploits stolen certificates from other malicious incidents in the past.
The WIP 19 APT group has been seen by analysts abusing stolen certificates from previous attacks to sign hostile components. The hackers published the authentic certificate used by the actors to sign malware to a Korean messaging provider.
Additionally, the actors used an equivalent certificate to sign genuine software recently. Hence, the researchers claimed that the group stole these tools so they could use them for their separate campaign.
As of now, all known credential harvesting tools that belong to WIP19 are signed using previously stolen certificates. This certificate also sings a password dumper based on an open-source code project utilised by actors to put an SSP to LSASS and dump the process.
Researchers could also attribute the ScreenCap malware to the WIP19 APT group after they ran a series of studies on a recent attack on a particular victimised machine. The analysis has also proven that the threat actors use specially crafted malware for each target.
Cybersecurity experts claim that WIP19 is a China-based threat group since its operation overlaps with Operation Shadow Force through WinEggDrop. Furthermore, there are several similarities between WIP19 and Shadow Force regarding their tricks, techniques, and procedures.
The data breach attack also includes precision targeting and a low number of attacks. Therefore, big-time organisations influential to a country should stay informed about these cybercriminal campaigns.
Affected firms are urged to share their knowledge to create better mitigation tactics against these APT groups.
