Feb 16, 2023Ravie LakshmananCloud Security / Cyber Threat
Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission.
Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former’s work-in-progress moniker WIP26.
“WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate,” researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.
This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.
The initial intrusion vector used in the attacks entails “precision targeting” of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.
The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.
“The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter,” the researchers said. “This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration.”
CMD365, for its part, works by scanning the inbox folder for specific emails that begin with the subject line “input” to extract the C2 commands for execution on the infected hosts. CMDEmber, on the other hand, sends and receives data from the C2 server by issuing HTTP requests.
Transmitting the data – which comprises users’ private web browser information and details about high-value hosts in the victim’s network – to actor-controlled Azure instances is orchestrated by means of PowerShell commands.
Is Your Business Prepared for the Top SaaS 🛡️ Security Challenges of 2023? Learn How to Tackle Them – Join Our Webinar Now!
The abuse of cloud services for nefarious ends is not unheard of, and the latest campaign from WIP26 indicates continued attempts on the part of threat actors to evade detection.
This is not the first time telecom providers in the Middle East have come under the radar of espionage groups. In December 2022, Bitdefender disclosed details of an operation dubbed BackdoorDiplomacy aimed at a telecom company in the region to siphon valuable data.
Then earlier this month, Trend Micro disclosed a set of targeted phishing attacks mounted by a group called Earth Zhulong aimed at telecom, technology, and media sectors in Southeast Asia since 2020 to deploy a shellcode loader known as ShellFang and a backdoor named MACAMAX.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.