[ad_1]
The Chinese hacking group known as ‘Winnti’ has been stealthily stealing intellectual property assets such as patents, copyrights, trademarks and other corporate data, all undetected by researchers and targets since 2019.
Winnti, also tracked as APT41, is an advanced and elusive cyber-espionage group believed to be backed by the Chinese state and operating on behalf of its national interests.
The uncovered cybercrime campaign has been underway since at least 2019 and targeted technology and manufacturing companies in East Asia, Western Europe and North America.
Operation Cuckoo Bees
This criminal operation is known as ‘Operation CuckooBees’ and was discovered by Cybereason analysts, who revealed the new malware deployed by the notorious hacker group, the mechanisms they exploit for intrusion, and the intricate payload delivery methods they use. .
“With years to conduct clandestine reconnaissance and identify valuable data, it is estimated that the group managed to leak hundreds of gigabytes of information.
The attackers targeted intellectual property developed by victims, including sensitive documents, blueprints, diagrams, formulas, and proprietary manufacturing-related data. – Cyber ​​season.
The financial losses suffered by “CuckooBees” are difficult to determine, but the figure should be on a scale that places the operation among the most damaging cyber campaigns in recent years.
A stealthy operation
The infection chain observed in Operation CuckooBees begins with the exploitation of known and zero-day vulnerabilities in the ERP platforms used by the targets.
Winnti establishes persistence through a hard-coded WebShell, abusing the WinRM protocol for remote access, the IKEEXT and PrintNotify Windows services for DLL sideloading, or by loading a signed kernel rootkit.
Once they gain a foothold in networks, hackers perform reconnaissance using built-in Windows commands such as ‘systeminfo’, ‘net start’, ‘net user’ and ‘dir c:’, which are unlikely to trigger suspect alerts. activity, even when running on batch files via a scheduled task.
For credential dumping, Winnti uses the ‘reg save’ command to save stolen passwords in a safe place or a variant of a previously undocumented tool called ‘MFSDLL.exe’.
For lateral movement, hackers continue to abuse Windows scheduled tasks along with a set of special batch files.
Finally, for data collection and exfiltration, threat actors deploy a portable WinRAR command-line application that presents a valid digital signature and uses “rundll32.exe” as the executable.
new finds
What is highlighted in Cybereason’s report is a new Winnti malware called “DEPLOYLOG” and the method of abusing the Windows Common Log File System (CLFS) mechanism to hide the payload.
CLFS is an internal logging system for Windows operating systems, using a proprietary file format that can only be accessed through system API functions. As such, AV scanners skip their log files, while human inspectors don’t have a tool that can analyze them.
Winnti abuses this system to store and hide its payloads which are placed on the target system in the form of a CLFS record and then extracted and executed via CLFS API calls.
The DEPLOYLOG malware, which has not been documented before, is a 64-bit DLL (disguised as “dbghelp.dll”) that extracts and executes the final Winnti payload, the WINNKIT rootkit, and then establishes two communication channels with the Remote C2 and the kernel-level rootkit.
Some of the malware used to abuse Windows CLFS was previously discovered by Mandiant, but had not been attributed to any threat actor.
WINNKIT is the threat actor’s most evasive and sophisticated payload, which has been extensively analyzed in the past. Still, even after all this time, it’s still largely immune to antivirus detection.
In Operation CuckooBees, WINNKIT uses reflective payload injection to inject its malicious modules into legitimate svchost processes.
“WINNKIT contains an expired BenQ digital signature, which is exploited to bypass the Driver Signature Enforcement (DSE) mechanism that requires drivers to be properly signed with digital signatures in order to load successfully,” Cybereason’s malware report explains.
“This mechanism was first introduced in 64-bit Windows Vista and has affected all versions of Windows since then.”
After successful initialization, WINNKIT will connect network communication and start receiving custom commands via DEPLOYLOG.
defending your network
Despite indictments of Winnti members announced over the last two years by the US Department of Justice, and no matter how many white papers discussing their tools and tactics have been published, the notorious Chinese cyber-espionage group continues to active and industrious.
Cybereason believes that due to the complexity, stealth, and sophistication of Operation CuckooBees, it is very likely that Winnti compromised many more companies than they were able to verify.
The best bet for defenders against such threats is to update all their software to the latest version available, monitor all network traffic, and use network segmentation.
For more details on Winnti’s TTPs, please see an additional Cybereason blog article focusing on the techniques, or a third party dedicated to the malware used in the campaign.
[ad_2]