Telecommunications and IT company providers in the Middle East and Asia are currently being specific by a beforehand undocumented Chinese-talking menace team dubbed WIP19.
“Throughout this activity, the threat actor abused the certificate to sign several malicious components,” SentinelLabs explained.
“Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.
“The use of WinEggDrop-authored malware, stolen certificates and correlating TTPs [tactics, techniques and procedures] indicate possible links to Operation Shadow Force, as reported by TrendMicro and AhnLab,” SentinelLabs explained.
“As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation ‘Shadow Force’ or simply a different actor utilizing similar TTPs. The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.”
Additionally, SentinelLabs linked an implant dubbed “SQLMaggie,” recently described by DCSO CyTec, to WIP19’s latest activity.
“SQLMaggie appears to be actively maintained and provides insights into the development timeline with hardcoded version names.”
The experts have no doubts about the attackers’ motivation, another China-linked threat actor is gathering intelligence with this operation.
IOCS
| SQLMaggie SHA1 | Real File Name |
| 4AABB34B447758A2C676D8AD49338C9E0F74A330 | sqlmaggieAntivirus_32.dll |
| 5796068CFD79FBA65394114BA0EDC8CC93EAE151 | sqlmaggieVS2008new_64.dll |
| 13BA1CFD66197B69A0519686C23BDEF17955C52E | sqlmaggieVS2008new_32.dll |
| CA25FCBA11B3B42D9E637132B5753C9B708BE6F0 | sqlmaggieVS2008new_64.dll |
| 26cbd3588b10cabc7c63492c82808104829e9ac0 | sqlmaggieAntiVirus_64.dll |
| 5e0291928e29db46386fd0bd85f269e967758897 | sqlmaggieVS2008new_64.dll |
| 96099015981559237a52a7d50a07143870728fd0 | sqlmaggieAntiVirus_64.dll |
| 7eb6e7d4e5bd5a34c602879cad0a26b35a3ca4fb | sqlmaggieVS2008new_32.dll |
| fe2e7c663913e0744822d1469be0c3655d24178d | sqlmaggieAntivirus_32.dll |
| b15bae6a8379a951582fc7767fa8490722af6762 | sqlmaggieAntiVirus_64.dll |
| c81de9a27f7e8890d30bd9f7ec0f705029b74170 | sql_epX64_MD.dll |
| 829df7b229220c56eedc5660e8f0e7f366fa271f | sqlmaggieAntivirus_32.dll |
| d02fce5d87ea1fe9fabe7ac52cae2439e8215121 | sqlmaggieAntivirus_32.dll |
| 1c6d0e8920af9139a8a9fe3d60b15cf01fb85461 | sqlmaggieAntiVirus_64.dll |
| 2cad0328863cb09a6b27414d5158075d69bfb387 | sqlmaggieAntiVirus_64.dll |
| 26c0722a1d16641d85b97594deea2a65399daef7 | sqlbackupAntiVirus_64.dll |
| 17ff9fc9ee72baaf8d66ef9b3ab6411c47384968 | sqlmaggieAntiVirus_64.dll |
| 5be50453f6e941c5c1dd20e0ba53e9abb6d00b68 | sqlmaggieVS2008new_32.dll |
| 56d326dfe7dcb1ce7cae2cb4c13819510fc9945c | sqlmaggieAntiVirus_64.dll |
| 253e702ff8201eec6fdf9630a39f5a8c28b132ed | xp_OAreateX64.dll |
| b91ab391a4e26e4ff0717cd989ad5ce7f6af235c | xp_OAreateX64.dll |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment