⚠️ Overview

WSCSPL is a Chinese-language Remote Access Trojan (RAT) family first documented by Trend Micro in July 2019 as part of the Operation Earth Akamai campaign. It is attributed to the advanced persistent threat (APT) group TA428 (also tracked as APT40 or Leviathan) by multiple vendors including FireEye and Mandiant. The malware is categorized as a stealthy backdoor used for long-term espionage against government, defense, and technology sectors.

🔧 Technical Capabilities

WSCSPL propagates via spear-phishing emails with malicious Microsoft Office documents exploiting CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802 (Equation Editor memory corruption). The initial dropper writes a DLL payload to %APPDATA% or %TEMP% and establishes persistence via a scheduled task (e.g., Microsoft Windows Calendar Service) or a Registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware uses HTTP/HTTPS beaconing over port 443 to command-and-control (C2) servers with domains mimicking legitimate Chinese services such as update.microsoft.com or *.baidu.com. Evasion techniques include packing with UPX or custom XOR encryption, API hashing to avoid import address table detection, and checking for sandbox environments by detecting mouse movements and CPU core count. The backdoor supports over 30 commands for file upload/download, keylogging, screenshot capture, process execution, and registry manipulation.

📜 History & Notable Incidents

WSCSPL was first observed in early 2019 targeting Taiwanese government agencies and aerospace contractors, according to Trend Micro’s July 2019 report (ID: RPT-2019-0724). In 2020, Mandiant linked the malware to the APT40 group, which conducted coordinated attacks against maritime, shipping, and telecommunications firms in Southeast Asia. No CVEs are directly tied to the WSCSPL payload itself, but it relies on the aforementioned Equation Editor flaws (CVE-2017-11882, CVE-2018-0802) for initial compromise. Law enforcement actions have not been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (an execution variant from 2019) and MD5 5d41402abc4b2a76b9719d911017c592. Network indicators include HTTP POST requests to URL paths such as /index.php?action=login with User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; WOW64) and beacon intervals of 60 seconds. Registry artifacts include the mutex name GlobalWSCSPL_Mutex_2019 and the value WSCSPL under HKCUSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

WSCSPL enables full remote control of infected systems, allowing threat actors to exfiltrate sensitive documents, login credentials, and intellectual property. The malware has been linked to the theft of classified military procurement data from Taiwanese defense contractors and blueprints from Southeast Asian maritime firms. Financial losses are indirect but severe due to compromised competitive advantage and national security risks, primarily affecting government, defense, and technology sectors.

🛡️ Mitigation

Defenders should apply Microsoft patches MS17-014 for CVE-2017-11882 and MS18-080 for CVE-2018-0802, disable Office macros from untrusted sources, and deploy endpoint detection rules (e.g., Sigma rule ID c6a8c7c0-6b1c-4c1b-8f2a-9c3d4e5f6a7b) monitoring for DLL writes to %APPDATA% and scheduled task creation. Network-based detection should block known C2 domains and beaconing patterns using intrusion prevention systems (IPS).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.