IT service providers and telecommunications firms have been the targets of signed malware from a recently discovered cyber espionage organization based in China.
SentinelOne has tracked this advanced persistent threat (APT) as WIP19. Its operations reveal overlaps with Operation Shadow Force. However, it is uncertain if this is a novel iteration of Operation Shadow Force or the effort of a different, more experienced adversary employing modern malware and methodologies. WIP19 uses several harmful components signed by stolen certificates, primarily targeting organizations in the Middle East and Asia. The gang has been seen employing malware families, including ScreenCap, SQLMaggie, and a credential dumper.
“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014,” says SentinelOne.
Given that it was previously used to sign genuine software, the valid certificate that WIP19 has been using to sign its malware was granted to Korean messaging service DEEPSoft Co. and was most likely stolen by the threat actor. All threat actor’s credential harvesting tools, along with a password dumper that used open-source code to load an SSP to LSASS and dump the process, were reportedly signed using the stolen certificate, as per SentinelOne.
Additionally, it was discovered that WIP19 loaded a keylogger and a screen recorder using DLL search order hijacking. The victim’s browser is the main focus of the keylogger, which collects passwords and other sensitive data there. The ScreenCap malware linked to the APT runs many tests involving the victim’s machine name, indicating that it was customized for each victim individually.
“This does not prevent the actor from re-signing each of the payloads with the DEEPSoft certificate, proving the actors have direct access to the stolen certificate,” SentinelOne notes.
The backdoor was observed in SQLMaggie attacks, disguising itself as a valid DLL registered to the MSSQL Server, giving the attackers access to the server system and allowing them to conduct network reconnaissance. SentinelOne also found that each backdoor version may support a distinct set of instructions, depending on the targeted environment. Due to the lack of publicly accessible code, SQLMaggie looks to be a group-only product or be sold privately.
Given the parallels with Operation Shadow Force through WinEggDrop and the security firm’s usage of the WIPxx (work-in-progress) designation for unattributed clusters of activity, it is quite likely that this APT is Chinese in origin.