With signed malware, a new cyberespionage group has been hitting telecom companies and IT, service providers. The group, known as WIP19, resembles Operation Shadow Force in specific ways. SentinelOne claims that WIP19 is concentrated on organizations in the Middle East and Asia.
Background
The group has been signing malicious components with stolen certificates. The group has so far employed a variety of malware families, including a credential dumper, ScreenCap, and the SQLMaggie backdoor. The group is known to rely on DLL search order hijacking to load keyloggers and screen recorders. The keylogger targets the victim’s browser to collect login and other private information.
Analysis
Use of stolen certificates:
WIP19 has been seen using a legitimate digital certificate issued for the messaging solutions provider DEEPSoft Co., Ltd. in Korea to sign malware. A number of malware components, some of which were built specifically for particular targets, were signed by the threat actor using the certificate. Given that the certificate was previously used by DEEPSoft to sign legitimate software, it is very likely that it was stolen.
Since WinEggDrop malware is known to be used by a number of threat clusters, it is conceivable that the WIP19 threat actor is also using these related toolkits. It has been found that WinEggDrop, a well-known Chinese-speaking malware author who has been active since 2014 and who has written tools for a number of parties, was the author of some of the components utilized by WIP19.
Links to other APT groups:
According to TrendMicro and AhnLab, the use of malware created by WinEggDrop, stolen certificates, and related TTPs suggest likely connections to Operation Shadow Force. It is unclear whether this is a new version of the operation “Shadow Force” or merely a different actor using the same TTPs because the toolset appears to be shared among numerous actors. However, the activity seen shows a highly experienced attacker using modern malware and methods.
Tools Used
All of WIP19’s credential harvesting tools, which largely consisted of password dumpers, were signed using the DEEPSoft certificate, like many other components used by WIP19. The threat actor’s primary dumper loaded an SSP into LSASS and then dumped the process using open-source projects. The password dumper in WIP19 is made up of two parts, one of which serves as a loader and the other as a dumper. The dumper was run using WMIEXEC on a large number of instances that were observed.
Loader:
Internally known as the ssp rpc loader, the dumper loader component is a signed EXE file, as shown by the PDB path embedded within the file. In order to load a malicious DLL file as an SSP (Security Support Provider), as the name implies, the loader employs RPC and an argument.
NanoDump, which is loaded into LSASS and generates a minidump of the process, is the real SSP loaded. A built-in feature of NanoDump is the ability to load it as an SSP. Utilizing the MiniDumpWriteDump API, this is accomplished.
Screencap:
WIP19 has been seen using DLL search order hijacking of explorer.exe to load an internal ScreenCapDll_x64 component for keylogging and screen recording. The fact that the ScreenCap malware conducts checks involving the victim’s machine name shows that it is uniquely created for every deployment.
The user’s browser is the primary focus of the keylogging feature. The malicious software recognizes the user’s browser and records each keystroke to an. ax file kept in the working directory. It key logs Internet Explorer activity by default, but it also supports keylogging for Chrome and Opera, two more widely used browsers.
The recording of the user’s screen during this action is a rather uncommon TTP. Similar to keylogging, this assists the actor in gathering credentials and gaining access to private data. The malware will record the screen 30 times, for a total of 1,296,000 milliseconds, and save the results as.avi files at the location where it is now running.
SQLMaggie:
A DLL with expanded stored procedure functions for an MSSQL Server is what SQLMaggie poses as. The way that is really used registers an external DLL in an MSSQL server using the sp_addextendedproc function. The threat actor can fully manage the server machine after registering the DLL in the MSSQL server. They can then utilize this backdoor to conduct internal network reconnaissance.
Neither the source code nor the executable for SQLMaggie appears to be publicly available, in contrast to some of the other components that may be accessed on open-source, public repositories. This means that WinEggDrop is the only user of the tool, which is either sold or utilized privately.
WIP19 APT Motivation
Precision targeting was used in the few intrusions that were seen. The malware used was not extensively dispersed and had hardcoded identities for particular user PCs. Additionally, the targeting of telecom and IT service providers in the Middle East and Asia raises the possibility that espionage is the motivation behind this operation. Due to the types and quantity of sensitive data they possess, communications providers are frequently the target of espionage operations.