Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission.
Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former’s work-in-progress moniker WIP26.
“WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate,” researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.
This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.
The initial intrusion vector used in the attacks entails “precision targeting” of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.
The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.
“The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter,” the researchers said. “This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration.”
CMD365, for its part, works by scanning the inbox folder for specific emails that begin with the subject line “input” to extract the C2 commands for execution on the infected hosts. CMDEmber, on the other hand, sends and receives data from the C2 server by issuing HTTP requests.
Transmitting the data – which comprises users’ private web browser information and details about high-value hosts in the victim’s network – to actor-controlled Azure instances is orchestrated by means of PowerShell commands.
This is not the first time telecom providers in the Middle East have come under the radar of espionage groups. In December 2022, Bitdefender disclosed details of an operation dubbed BackdoorDiplomacy aimed at a telecom company in the region to siphon valuable data.