A telecommunications service provider in the Middle East has been targeted by a previously undocumented threat actor. This is part of a suspicious intelligence gathering mission.
Cybersecurity firms SentinelOne and QGroup track activity clusters under the former’s ongoing moniker. WIP26.
Researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen wrote in a report shared with The Hacker News that “WIP26 has taken a large toll on public cloud infrastructure in an attempt to evade detection by disguising malicious traffic as legitimate. depends.
This includes exploiting Microsoft 365 email, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command and control (C2) purposes.
The first intrusion vector used in the attack involved “precise targeting” of employees via WhatsApp messages containing Dropbox links to seemingly harmless archive files.
These files actually contain malware loaders whose core function is to deploy custom .NET-based backdoors such as CMD365 and CMDEmber that utilize Microsoft 365 Mail and Google Firebase for C2.
“The primary function of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter,” said the researchers. “This capability was used to conduct a variety of activities including reconnaissance, privilege escalation, staging additional malware, and data exfiltration.”
CMD365 scans the inbox folder for specific emails starting with the subject “input” and extracts the C2 commands to execute on the infected host. CMDEmber, on the other hand, sends and receives data to and from the C2 server by issuing HTTP requests.
The transmission of data containing the user’s private web browser information and details about high-value hosts within the victim’s network is coordinated by PowerShell commands.
Abuse of cloud services for malicious purposes is not unheard of. WIP26’s latest campaign shows continued attempts by threat actors to evade detection.
This isn’t the first time a Middle Eastern carrier has come under surveillance by a spy group. In December 2022, Bitdefender published details of its operation. backdoor diplomacy They targeted local telecommunications companies and siphoned valuable data.
