Researchers Detailed Winnti's Hacking Operation: A Chinese APT

Cybereason researchers detailed Winnti, a Chinese APT that is operating a reconnaissance campaign, going undetected for over three years.

Researchers noted studying Winnti is hard, as it’s operation is a multi-stage infection chain. It starts with exploiting vulnerabilities in the ERP software of an organization and goes on to deploy various tools at several levels to spread through the network and steal sensitive data.

Detailing Winnti Hacking Group

Unlike most hacking groups which are driven by financial motives, state-backed hackers are driven by their nation’s long-term prospective. Thus, they aim at stealing sensitive data from foreign organizations, rather than stealing money.

One among them is Winnti, a Chinese APT which is also known as APT41, BARIUM, or Blackfly by several researchers. The hacking group’s latest operation, dubbed Operation CuckooBees, is said to have gone undetected for over three years!

This was now detailed by Cybereason researchers, who in a briefing to the FBI and US DoJ said Winnti’s attacks are a “multi-stage infection chain“, that begins by exploiting vulnerabilities in enterprise resource planning (ERP) software of targeted organizations.

Once they’re in, they create a webshell in the network that’s procured from a simple code published on websites in the Chinese language to maintain persistence. Researchers also noted the gang dropping Spyder loader, and exploiting bugs that are both known and zero-day.

Next up is the leveraging of some legitimate Windows tools like the WinRM over HTTP/HTTPS, and IKEEXT and PrintNotify – all to create backup persistence mechanisms and to sideload Winnti DLLs.

After successfully establishing a presence, the group then analyses the comprised system’s OS, user files, and the whole network to learn and crack passwords using techniques like credential dumping or with some specially crafted tools.

They’re also said to be using Stashlog, a malicious software designed to manipulate the Transactional NTFS (TxF) and Transactional Registry (TxR) operations of Microsoft Windows Common Log File System (CLFS) to conceal their payloads and evade detection by regular security software.

And finally, researchers also noted Winnti’s use of Sparklog, Privatelog, and Deploylog, to extract data from the CLFS log, escalate privileges, and enable further persistence. Publishing the partial IoCs of this campaign, Cybereason researchers said they are analyzing this group further to know more.

Other Trending News:-  News

LEAVE A REPLY

Please enter your comment!
Please enter your name here