Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos
A new malicious actor dubbed “WIP26” by SentinelOne has been observed targeting telecommunication providers in the Middle East.
Describing the threat in a Thursday advisory, the security researchers said the team has been monitoring WIP26 with colleagues from QGroup GmbH.
“WIP26 is characterized by the abuse of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and [command and control] C2 purposes,” wrote senior threat researcher Aleksandar Milenkoski from SentinelLabs, the SentinelOne security research arm.
The threat actor was observed initiating infection chains by precision-targeting employees through WhatsApp messages containing Dropbox links to a malware loader. This malware piece would then lead to deploying two backdoors exploiting the aforementioned cloud tools.
“The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter,” explained Milenkoski.
As for using public cloud infrastructure for C2 purposes, the security researcher said it was a tactic to try to make malicious C2 network traffic look legitimate and make detection harder.
“The CMD365 and CMDEmber samples we observed masquerade as utility software, such as a PDF editor or browser, and as software that conducts update operations,” Milenkoski wrote. “The masquerading attempt involves the use of filenames, application icons, and digital signatures that indicate existing software vendors.”
The SentinelLabs researcher added that considering its toolkit and tactics, WIP26 mainly focuses on espionage-related activities.
“The targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related,” reads the advisory.
“Communication providers are frequent targets of espionage activity due to the sensitive data they hold. Finally, evidence suggests that once they established a foothold, the threat actor targeted users’ private information and specific networked hosts of high value.”
The SentinelOne advisory comes weeks after Trend Micro researchers shed light on a different campaign targeting entities in the Middle East.