WIP26: a new threat actor targeting telecom service providers
A new threat actor, dubbed WIP26 by security firm Sentinel One, has recently been identified that is targeting government agencies and telecommunication service providers in the United States.
WIP26 is known to use multiple tactics, techniques and procedures (TTPs) to infiltrate victim networks, such as exploiting vulnerable services, planting malware and using stolen credentials. The threat actor has been linked to other malicious actors, including APTs and ransomware groups, and is suspected to be part of a larger criminal enterprise.
The actor has been observed using AWS, Google Cloud Platform and other cloud services as part of its operations.
It has also used several techniques to remain undetected and evade defences, such as registering malicious domains, obfuscating malicious code, and using legitimate services.
Indicator of Compromise
| SHA/URL/IP |
|---|
| B8313A185528F7D4F62853A44B64C29621627AE7 |
| 8B95902B2C444BCDCCB8A481159612777F82BAD1 |
| 3E10A3A2BE17DCF8E79E658F7443F6C3C51F8803 |
| A7BD58C86CF6E7436CECE692DA8F78CEB7BA56A0 |
| 6B5F7659CE48FF48F6F276DC532CD458BF15164C |
| hxxps://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/ |
| hxxps://go0gle-service-default-rtdb.firebaseio[.]com/ |
| hxxps://graph.microsoft[.]com/beta/users/3517e816-6719-4b16-9b40-63cc779da77c/mailFolders |
| hxxps://www.dropbox[.]com/s/6a8u8wlpvv73fe4/ |
| hxxps://www.dropbox[.]com/s/hbc5yz8z116zbi9/ |
| hxxps://socialmsdnmicrosoft.azurewebsites[.]net/AAA/ |
| hxxps://socialmsdnmicrosoft.azurewebsites[.]net/ABB/ |
| hxxps://socialmsdnmicrosoft.azurewebsites[.]net/ABB/ |
| hxxps://socialmsdnmicrosoft.azurewebsites[.]net/AMA/ |
| hxxps://socialmsdnmicrosoft.azurewebsites[.]net/AS/ |
| hxxps://akam.azurewebsites[.]net/api/File/Upload |
| 193.29.56[.]122 |