Chinese hackers perform ‘rarely seen’ Windows mechanism abuse in three-year campaign

china hack

Researchers have revealed a sophisticated Winnti cyber-campaign that abuses Windows mechanisms in a “rarely seen” way.

According to Cybereason, Chinese advanced persistent threat (APT) group Winnti is behind the campaign, which has gone undetected for years.

Active since at least 2010, Winnti is a threat group that operates using a wide range of malware and tools at its disposal. The APT, also known as APT41, BARIUM or Blackfly, is suspected of working on behalf of the Chinese state and focuses on cyber espionage and data theft.

Past attacks linked to the group include cyberattacks on video game developers, software vendors and universities in Hong Kong. Winnti also capitalized on Microsoft Exchange Server ProxyLogon flaws, alongside other APTs, when critical vulnerabilities were first made public.

In two reports on Wednesday, Cybereason said the company informed the FBI and the US Department of Justice (DoJ) about the APT campaign, which has been active since 2019 but only recently came to light.

READ MORE:  How to Fix Quantum Computing Bugs

According to cybersecurity researchers, covert attacks have focused on infiltrating the networks of technology and manufacturing companies in Europe, Asia and North America, focusing on stealing sensitive proprietary information.

Dubbed Operation CuckooBees, Winnti’s “multi-step infection chain” begins with exploiting vulnerabilities in enterprise resource planning (ERP) software and deploying the Spyder loader. The researchers say that some of the exploited bugs were known, but others were also zero-day vulnerabilities.

After gaining access to an enterprise system, a web shell, consisting of simple code posted on Chinese-language websites, is dropped to maintain persistence.

Additionally, Winnti alters Windows WinRM functionality over HTTP/HTTPS, and Windows IKEEXT and PrintNotify services, to create backup persistence mechanisms and to load Winnti DLLs.

The group then performs a detailed reconnaissance of the operating system, network, and user files, before attempting to crack the passwords locally using credential dumping techniques and tools.

READ MORE:  HP spends a lot of money to tell you it's doing 0.0001% good

Remotely scheduled tasks are used to try to move laterally across networks.

Of particular note is Winnti’s use of Stashlog, malware designed to abuse the Microsoft Windows Common Log File System (CLFS).

Stashlog manipulates Transactional NTFS (TxF) and Transactional Registry (TxR) operations of CLFS. The executable stores a payload in the CLFS log file as part of the infection chain.

“Attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products,” Cybereason explains, adding that such abuse of CLFS is “rarely seen”.

Following the Stashlog activities, the APT will then use various tools, including Sparklog, Privatelog, and Deploylog. These malware variants extract CLFS log data, elevate privileges, allow additional persistence, and deploy the Winnkit rootkit driver – which acts as a kernel-mode agent to intercept TCP/IP requests.

READ MORE:  Employees aren't rushing back to the office. But there's still a good reason to keep it open

While the investigation into Winnti’s campaign is ongoing, the cybersecurity firm was only able to share partial indicators of compromise (IoCs).

“Perhaps one of the most interesting things to notice is the elaborate, multi-phase infection chain employed by Winnti,” the researchers say. “Malware authors have chosen to divide the infection chain into several interrelated phases, where each phase relies on the previous one to execute properly.

This demonstrates the thought and effort that has gone into both malware and operational security considerations, making analysis nearly impossible unless all the pieces of the puzzle are put together in the correct order.”

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Source link

Leave a Comment