A new malicious actor dubbed ‘WIP26’ by sentinel one Attacks targeting telecom operators in the Middle East have been confirmed.
explain the threat on thursday Recommendationsecurity researchers said the team was monitoring WIP26 with colleagues from QGroup GmbH.
“WIP26 is characterized by exploiting public cloud infrastructure (Microsoft 365 email, Microsoft Azure, Google Firebase, Dropbox) to deliver malware, exfiltrate data, and [command and control] C2 purpose,” writes Aleksandar Milenkoski, senior threat researcher at SentinelLabs, the SentinelOne security research arm.
The threat actor was observed to start the infection chain by precisely targeting employees via WhatsApp messages containing Dropbox links to malware loaders. This malware leads to her deploying two backdoors that exploit the aforementioned cloud tools.
“The main function of CMD365 and CMDEmber is to execute attacker-supplied system commands using the Windows command interpreter,” explains Milenkoski.
Use of public cloud infrastructure Purpose of C2security researchers said, a tactic that attempts to make malicious C2 network traffic look legitimate and harder to detect.
“The CMD365 and CMDEmber samples we observed masqueraded as utility software such as PDF editors and browsers, as well as software performing update operations,” Milenkoski wrote. “Spoofing attempts include using file names that indicate existing software vendors, the application’s icon, and digital signatures.”
SentinelLabs researchers added that given its toolkit and tactics, WIP26 is primarily focused on espionage-related activities.
“The targeting of a telecommunications provider in the Middle East suggests that the motivation behind this activity is related to espionage,” the advisory reads.
“Telecommunications providers are often targets of espionage because they hold sensitive data. There is evidence that it targeted
The SentinelOne advisory came weeks after Trend Micro researchers revealed. another campaign Targeting entities in the Middle East.
