Keypoints
- WIP26 targeted telecom employees via targeted WhatsApp messages linking to Dropbox-hosted archives that contained a malware loader (PDFelement.exe).
- The loader installs backdoors CMD365 (Update.exe, EdgeUpdater.exe) and CMDEmber (Launcher.exe, Update.exe) which execute attacker-provided system commands via the Windows command interpreter.
- CMD365 uses the Microsoft Graph API to authenticate to a Microsoft 365 Mail inbox with hardcoded credentials, creates a machine-specific mailbox folder, and polls for emails with subjects starting with “Input” as C2.
- CMDEmber connects to Google Firebase Realtime Database instances (e.g., gmall-52fb5-default-rtdb…, go0gle-service-default-rtdb…) to exchange JSON-formatted commands and results tied to unique machine identifiers.
- Data collection included browser data and host reconnaissance; exfiltration was performed via PowerShell to Microsoft Azure endpoints (socialmsdnmicrosoft.azurewebsites[.]net, akam.azurewebsites[.]net) and malware hosting used Dropbox and Azure sites.
- Additional tooling included Chisel (masquerading as Media Player Classic) to create a TCP-over-HTTP tunnel from IP 193.29.56[.]122; malicious binaries masqueraded as legitimate apps and used invalid digital signatures for evasion and persistence via a scheduled task named MicrosoftUpdatesA.
MITRE Techniques
- [T1566.002] Spearphishing Link – WIP26 initiated access through targeted WhatsApp messages with Dropbox links to an archive containing a loader; “precision targeting of employees through WhatsApp messages that contain Dropbox links to a malware loader.”
- [T1102] Web Service – CMD365 and CMDEmber use public cloud services as C2 channels via Microsoft Graph API and Firebase; “backdoors… abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.”
- [T1053.005] Scheduled Task/Job – The loader establishes persistence by creating a scheduled task that runs the backdoor at startup; “creates a scheduled task named MicrosoftUpdatesA that executes CMD365 at system startup for persistence.”
- [T1036] Masquerading – Binaries impersonate legitimate utilities or updaters with misleading filenames/icons/signatures to evade detection; “masquerade as utility software, such as a PDF editor or browser, and as software that conducts update operations.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Both backdoors execute attacker-provided system commands via cmd.exe; “execute attacker-provided system commands using the Windows command interpreter.”
- [T1552.001] Credentials in Files – CMD365 authenticates to Microsoft 365 Mail using credentials embedded in the malware; “authenticate itself to a Microsoft 365 Mail inbox using valid credentials that are hardcoded in the malware.”
- [T1041] Exfiltration Over C2 Channel – Data (browser data, reconnaissance) was moved to Azure endpoints using PowerShell commands; “data exfiltration was orchestrated through the execution of PowerShell commands to transport key data to Microsoft Azure instances.”
- [T1090] Proxy – The actor used Chisel to tunnel TCP over HTTP through an external IP for access; “create a TCP tunnel over HTTP from the IP address 193.29.56[.]122.”
- [T1005] Data from Local System – The adversary collected local artifacts including private browser data and host reconnaissance information prior to exfiltration; “The exfiltrated data included users’ private browser data and reconnaissance information on particular high-value hosts.”
Indicators of Compromise
- [SHA-1] Malware samples – B8313A185528F7D4F62853A44B64C29621627AE7 (PDFelement.exe), 8B95902B2C444BCDCCB8A481159612777F82BAD1 (CMD365 Update.exe), and 3 more hashes.
- [Domain] Firebase C2 endpoints – https://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/, https://go0gle-service-default-rtdb.firebaseio[.]com/ (CMDEmber C2).
- [URL] Microsoft 365 Mail C2 location – https://graph.microsoft[.]com/beta/users/3517e816-6719-4b16-9b40-63cc779da77c/mailFolders (used by CMD365).
- [URL] Dropbox hosting links – https://www.dropbox[.]com/s/6a8u8wlpvv73fe4/, https://www.dropbox[.]com/s/hbc5yz8z116zbi9/ (malware hosting).
- [URL] Microsoft Azure hosting/exfiltration – https://socialmsdnmicrosoft.azurewebsites[.]net/ (malware hosting paths AAA/ABB/AMA/AS), https://akam.azurewebsites[.]net/api/File/Upload (data exfiltration).
- [IP address] Chisel C2 server – 193.29.56[.]122 (TCP-over-HTTP tunnel endpoint).
WIP26 begins with targeted WhatsApp messages pointing victims to Dropbox-hosted archives that contain a malicious loader (PDFelement.exe). The loader, signed with an invalid certificate claiming a legitimate vendor, installs a .NET backdoor (CMD365) and creates a scheduled task named MicrosoftUpdatesA for persistence; additional payloads observed include EdgeUpdater.exe (CMD365) and CMDEmber binaries (Launcher.exe/Update.exe).
CMD365 authenticates to Microsoft 365 Mail via the Microsoft Graph API using credentials embedded in the binary, creates a machine-unique inbox folder (based on MAC, hostname, and user), and polls emails with subjects beginning “Input” to receive AES-encrypted, Base64-encoded commands which it executes through the Windows command interpreter. CMDEmber uses Step Up Labs’ Firebase library to connect to Firebase Realtime Database instances (for example gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app and go0gle-service-default-rtdb.firebaseio[.]com), exchanging JSON entries keyed by a unique machine identifier and encrypting payloads with an MD5-derived Triple DES key.
After reconnaissance and local data collection (including private browser artifacts and target host details), the actor staged and exfiltrated data via PowerShell to Azure-hosted endpoints (socialmsdnmicrosoft.azurewebsites[.]net and akam.azurewebsites[.]net). The operator also used Chisel (masquerading as Media Player Classic) to establish a TCP-over-HTTP tunnel from 193.29.56[.]122 for additional access. Cloud services were used throughout for C2, hosting, and exfiltration to blend malicious activity with legitimate web traffic.