In a briefing given to the FBI and US DoJ, Cybereason researchers explained the campaign of Winnti, a Chinese APT aimed at reconnaissance purposes.

Researchers said the campaign has gone undetected for years, as it’s sophisticated by hackers. Exploiting the known and zero-day bugs for initial access, Winnti hackers use legitimate Windows software and a range of other malicious tools to conceal their operations, and steal data.

Winnti’s Modus Operandi

Amongst all the Advanced Persistent Threats (APTs) we’re having today, the Winnti group is one of the sophisticated teams deployed against critical organizations, to steal sensitive data. Linked to the Chinese government, Winnti is also noted as APT41, BARIUM, or Blackfly on several occasions.

In past, the state-backed hacking group targeted software vendors, video game developers, and some Hong Kong universities, using both known and zero-day bugs. Winnti is also one of the active groups to quickly capitalized on Microsoft’s Exchange Server ProxyLogon flaws.

More recently, the researchers have uncovered a campaign dubbed Operation CuckooBees, that has been undetected for over three years. It starts with the Winnti group exploiting vulnerabilities in the ERP software of a targeted organization and deploying the Spyder loader.

Once in, they create a web shell that’s made up of simple code published on some websites in the Chinese language. The group also leverages the Windows WinRM feature over HTTP/HTTPS, and IKEEXT and PrintNotify services – to create backup persistence mechanisms and to sideload their DLLs.

It then starts with its reconnaissance job, by analyzing the compromised system’s OS, network, and user files to crack the internal passwords through credential dumping or other techniques. They also create scheduled tasks to move laterally in the network.

Researchers noted a particular of Winnti’s using Stashlog – malicious software designed to abuse the Microsoft Windows Common Log File System (CLFS). Manipulating CLFS, the Transactional NTFS (TxF) and Transactional Registry (TxR) help them to stash a payload into the CLFS log file.

All this allows them to conceal their payloads and evade detection by regular security products. Aside from this, they also use tools like Sparklog, Private log, and Deploylog to escalate privileges, enable further persistence, and deploy the Winnkit rootkit driver.

Though they detailed the campaign, researchers said they’re analyzing this group further to know more. Yet, they published partial IoCs and said it’s hard to learn more about them due to their “multi-stage infection chain” attack. One should be able to have all the pieces of the puzzle to solve it.


Please enter your comment!
Please enter your name here