Emerging spy group targets telecommunication sector

Target Industry

Telecommunication sector.

Overview

An unknown threat actor group has been detected to have targeted employees within the telecommunications industry sector. The attacks have been classified as a cyber-espionage campaign, dubbed WIP26 by SentinelOne, against organisations located in the Middle East.

SentinelOne researchers reported that the threat cluster was observed to have used public cloud infrastructure as a command-and-control (C2) mechanism, as well as for storing exfiltrated data and delivering malware components.

The attacks are initiated via WhatsApp messaging directed towards the intended target. These messages contain a link to a Dropbox archive file, as well as a malware loader, the core feature of which is to deploy custom .NET-based backdoors, such as CMD365 or CMDEmber, that leverages Microsoft 365 Mail and Google Firebase.

Impact

The infection vectors implemented by the threat actor allow their attack efforts to apply defence evasion techniques, resulting in their activity being more difficult to identify. This is applied to enhance the stealth of the attack efforts.

Clicking on the link sent via the WhatsApp message will result in the installation of two backdoors on the target system which will allow the threat actor to initiate the intended stages of their designed attack chain. These include reconnaissance, elevating privileges, deployment of additional malware and the theft of the target’s private browser data, information on high-value systems on the victim’s network, and other data.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against backdoor malware. EDRs can alert system users of potential breaches and prevent further progress before the malware can cause significant damage.

Affected Products

No specific product versions have been reported at the time of writing.

Containment, Mitigations & Remediations

One method of reducing the threat of any backdoor malware is to detect it in the early stages through the utilisation of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of backdoor compromise and halt them if detected.

It is strongly recommended that employees receive training on how to detect markers of malicious links sent via direct messaging platforms. Regular in-house training will prove to be effective in reducing the potency of future campaigns.

Furthermore, the National Cyber Security Centre (NCSC) has provided a comprehensive list of general mitigation steps to implement to avoid successful exploitation by strains of malware, including backdoors.

Indicators of Compromise

WIP26 SHA-1 file hashes and associated executable names:

– B8313A185528F7D4F62853A44B64C29621627AE7: PDFelement.exe malware loader
– 8B95902B2C444BCDCCB8A481159612777F82BAD1: Update.exe
– 3E10A3A2BE17DCF8E79E658F7443F6C3C51F8803: EdgeUpdater.exe
– A7BD58C86CF6E7436CECE692DA8F78CEB7BA56A0: Launcher.exe
– 6B5F7659CE48FF48F6F276DC532CD458BF15164C: Update.exe

WIP26 domains:

– hxxps[://]gmall-52fb5-default-rtdb[.]asia-southeast1[.]firebasedatabase[.]app/
– hxxps[://]go0gle-service-default-rtdb[.]firebaseio[.]com/

WIP26 URLs:

– hxxps[://]graph[.]microsoft[.]com/beta/users/3517e816-6719-4b16-9b40-63cc779da77c/mailFoldershxxps[://]go0gle-service-default-rtdb[.]firebaseio[.]com/
– hxxps[://]www[.]dropbox[.]com/s/6a8u8wlpvv73fe4/
– hxxps[://]www[.]dropbox[.]com/s/hbc5yz8z116zbi9/
– hxxps[://]socialmsdnmicrosoft[.]azurewebsites[.]net/AAA/
– hxxps[://]socialmsdnmicrosoft[.]azurewebsites[.]net/ABB/
– hxxps[://]socialmsdnmicrosoft[.]azurewebsites[.]net/ABB/
– hxxps[://]socialmsdnmicrosoft[.]azurewebsites[.]net/AMA/
– hxxps[://]socialmsdnmicrosoft[.]azurewebsites[.]net/AS/
– hxxps[://]akam[.]azurewebsites[.]net/api/File/Upload

WIP26 IP address:

– 193.29.56[.]122

Threat Landscape

It has been reported that a substantial portion of the data that the backdoors have been collecting from target systems suggest that the threat actor is preparing for future attacks. The targeting of telecommunication providers in the Middle East indicates that the motive of the threat actor is espionage-related.

The emergence of the WIP26 threat cluster has followed an increasing number of recent cyber-attacks aimed at the telecommunications industry sector. Cyber security experts have noted that this trend indicates that there is a growing interest from threat actors in targeting the telecommunications sector, and who are aiming to steal customer data, or to hijack mobile devices via ‘SIM swapping’ schemes.

Moreover, several threat campaigns aimed towards the sector have been linked with APT groups located in China and Iran, whereby a telecommunication organisation’s network was intruded with the intention of spying on targets of interest and reporting the findings to the respective national governments.

Threat Group

The threat group associated with the reported cyber-espionage campaign is being tracked as ‘WIP26’. Due to the recent emergence of this group, limited data is currently available at this time. However, initial analysis has shown that the group is targeting telecommunication organisations in the Middle East and that it is characterised by the abuse of public cloud infrastructure (Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox) for the purposes of implementing their desired attack vectors.

Mitre Methodologies

Tactics:
TA0043 – Reconnaissance
TA0004 – Privilege Escalation
TA0005  – Defense Evasion
TA0011  – Command and Control
TA0010– Exfiltration

Further Information

Sentinel One Analysis
Red Packet Security Report
Dark Reading Article