A new threat cluster that is being tracked by SentinelLabs as WIP19 has been targeting telecommunications providers, according to new reports by security experts. WIP19 uses a legitimate, stolen digital certificate issued by DEEPSoft, a Korean messaging solutions company. The recent targets have been in the Middle East and Asia, the cybersecurity form reports. Security researchers reported that the attackers are focused on stealth, and gave up on a stable C2 channel in exchange for it.
SentintelLabs has also released an analysis of the backdoors utilized during the attacks and suggests that some of the components used by WIP19 were created by a well-known Chinese speaking malware author called WinEggDrop. The malware author has been developing tools for hacking groups since 2014. SentinelLabs also linked an implant that is called SQLMaggie to the latest WIP19 attacks.