Telecoms, IT providers attacked by new Chinese APT

SecurityWeek reports that telecommunications firms and IT service providers in the Middle East and Asia are being subjected to attacks by Chinese advanced persistent threat group WIP19. Numerous malware families have been used by WIP19, including SQLMaggie, ScreenCap, and a credential dumper, while malicious components have been signed by the APT using stolen certificates, a SentinelOne report showed. Examination of the group's backdoors has prompted researchers to associate some of the group's components with Chinese-speaking malware author WinEggDrop. WIP19 has also likely stolen the valid certificate it has been using to sign its malware and credential harvesting tools from DEEPSoft Co., a messaging provider in South Korea. "The intrusions we have observed involved precision targeting and were low in volume. Specific user machines were hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the targeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind this activity is espionage-related," said SentinelOne.