The activities of this advanced persistent threat (APT), which SentinelOne tracks as WIP19, show overlaps with Operation Shadow Force, but it is unclear whether this is a new iteration of the campaign or the work of a different, more mature adversary using new malware and techniques.
Mainly focused on entities in the Middle East and Asia, WIP19 is using stolen certificates to sign several malicious components. To date, the group was observed using malware families such as ScreenCap, SQLMaggie, and a credential dumper.
“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014,” SentinelOne says.
The valid certificate that WIP19 has been using to sign its malware was issued to Korean messaging provider DEEPSoft Co. and was likely stolen by the threat actor, given that it was also used to sign legitimate software in the past.
According to SentinelOne, all of the threat actor’s credential harvesting tools were signed using the stolen certificate, including a password dumper relying on open source code to load an SSP to LSASS and dump the process.
WIP19 was also observed relying on DLL search order hijacking to load a keylogger and a screen recorder. The keylogger mainly targets the victim’s browser, to harvest credentials and other sensitive information.
The ScreenCap malware attributed to the APT performs a series of checks that involve the victim’s machine name, which suggests that it was specifically tailored for each victim.
“This does not prevent the actor from re-signing each of the payloads with the DEEPSoft certificate, proving the actors have direct access to the stolen certificate,” SentinelOne notes.
In attacks employing SQLMaggie, the backdoor was seen masquerading as a legitimate DLL that is registered to the MSSQL Server to provide the attackers with control over the server machine, to perform network reconnaissance.
SentinelOne also discovered that each version of the backdoor may support different commands, based on the targeted environment. SQLMaggie appears to be exclusive to the group or sold privately, as no portions of its code can be found publicly.
The security firm, which uses the WIPxx (work-in-progress) designation for unattributed clusters of activity, says it is highly likely that this APT is of Chinese origin, given the overlaps with Operation Shadow Force through WinEggDrop.
“The intrusions we have observed involved precision targeting and were low in volume. Specific user machines were hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the targeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind this activity is espionage-related,” SentinelOne notes.