New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East

Share This Post

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.

Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former’s work-in-progress moniker WIP26.

“WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate,” researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.

This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.

The initial intrusion vector used in the attacks entails “precision targeting” of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.

The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.

“The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter,” the researchers said. “This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration.”

CMD365, for its part, works by scanning the inbox folder for specific emails that begin with the subject line “input” to extract the C2 commands for execution on the infected hosts. CMDEmber, on the other hand, sends and receives data from the C2 server by issuing HTTP requests.

Transmitting the data – which comprises users’ private web browser information and details about high-value hosts in the victim’s network – to actor-controlled Azure instances is orchestrated by means of PowerShell commands.

The abuse of cloud services for nefarious ends is not unheard of, and the latest campaign from WIP26 indicates continued attempts on the part of threat actors to evade detection.

This is also not the first time telecom providers in the Middle East have come under the radar of espionage groups. In December 2022, Bitdefender disclosed details of an operation dubbed BackdoorDiplomacy aimed at a telecom company in the region to siphon valuable data.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

The Hacker News

Read More

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .