Security News > 2023 > February > New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.

NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2. "The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter," the researchers said.

Transmitting the data - which comprises users' private web browser information and details about high-value hosts in the victim's network - to actor-controlled Azure instances is orchestrated by means of PowerShell commands.

The abuse of cloud services for nefarious ends is not unheard of, and the latest campaign from WIP26 indicates continued attempts on the part of threat actors to evade detection.

This is also not the first time telecom providers in the Middle East have come under the radar of espionage groups.

In December 2022, Bitdefender disclosed details of an operation dubbed BackdoorDiplomacy aimed at a telecom company in the region to siphon valuable data.

News URL

https://thehackernews.com/2023/02/new-threat-actor-wip26-targeting.html