HQ/EMEAFind out how we can help your business
The WIP26 espionage operations have deployed a series of attacks against telecommunication providers in the Middle East. Based on reports, these attacks from the threat actors have relied heavily on public cloud infrastructure such as MS Azure, MS 365 Mail, Dropbox, and Google Firebase.
WIP26 used these infrastructures to execute data exfiltration tactics, obtain command-and-control servers, and deploy malware.
The WIP26 espionage operation aims to collect intelligence from its targets.
The WIP26 espionage operators focus on intelligence-gathering missions and attempt to utilise network traffic from legitimate cloud services to obfuscate their attacks.
The operation starts with a WhatsApp message sent to a targeted employee of an organisation. The letter includes a DropBox link to an archive file that pretends to be a document regarding the poverty issue in the Middle East.
In addition, the compromised file carries the document and a malware loader that spoofs a PDFelement application. The loader could drop custom-built backdoors, including CMDEmber and CMD365.
Researchers have spotted multiple CMDEmber and CMD365 samples that exploit the MS 365 Mail and Google Firebase to develop a command-and-control server and run commands deployed by the attackers.
CMDEmber is a dot net executable that spoofs the Opera browser. This [.]net executable uses the open-source Firebase library to interact with Google Firebase instances through HTTP requests. CMDEmber could steal private browser data and reconnaissance information of the selected hosts. The actors then transfer the exfiltrated data to the Azure instances controlled by targets through PowerShell commands.
On the other hand, the CMD365 is another [.]net executable that masquerades as a genuine Postman app. This executable develops a scheduled task on the compromised system to establish persistence. It could also execute malicious tasks such as data exfiltration, reconnaissance, adding malware payloads, and escalating privileges.
Cybersecurity experts explained that these espionage attacks against the Middle East are not new. However, organisations should remain updated with the latest cybercriminal activities worldwide to protect themselves from these sophisticated attacks.
Lastly, these organisations should leverage a competent threat intelligence platform that provides the best service against such threats.
