In order to achieve stealth, the attacker utilized a stable C2 channel for a stealthy method of communicating.
According to the report, WIP19 uses some components developed by WinEggDrop as a part of the attack. Since 2014, WinEggDrop has created malware tools employed by a variety of threat groups.
It must be noted that the stolen certificate was used in the signing of all the tools used by the threat actor to harvest credentials.
Types of Tools Used
This adversarial collective enlists the help of a bespoke set of toolsets in order to mount their intrusions. In short, a number of tools were utilized by the threat actors in the course of their attacks, and here they are mentioned below:-
- Credential dumper
- Network scanner
- Browser stealer
- Keylogger & Screen Recording (ScreenCap)
- ExtendedProcedure SQL (SQLMaggie)
Unlike other hacking tools, SQLMaggie has the ability to penetrate Microsoft SQL servers and run arbitrary commands through SQL queries with ease.
Depending on the type of targeted environment, different versions of the backdoor may be able to execute different commands. Furthermore, it appears that SQLMaggie is either exclusively available to the group or it may also be sold privately.
It is apparent that Chinese espionage is performed in a much broader range of industries, especially critical infrastructure industries when viewed through the lens of WIP19.