Chinese group APT Winnti stole trade secrets during years-long undetected campaign


Security researchers have uncovered a cyber espionage campaign that has gone largely undetected since 2019 that focuses on stealing trade secrets and other intellectual property from technology and manufacturing companies around the world. The campaign uses previously undocumented malware and is attributed to a Chinese state-sponsored APT group known as Winnti.

“With years of surreptitiously performing reconnaissance and identifying valuable data, the group is estimated to have managed to exfiltrate hundreds of gigabytes of information,” researchers from security firm Cybereason said in a statement. a new report. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas and proprietary data related to manufacturing.”

Cybereason, which shared its findings with the US Federal Bureau of Investigation (FBI) and Department of Justice (DOJ), dubbed the cyber-espionage campaign Operation CuckooBees and identified victims in Asia, Europe and America. North.

Who is Winnti?

Winnti, also tracked in the security industry as APT41, Axiom, Barium, Wicked Panda and other names, is one of China’s oldest cyber espionage groups, with its malicious activities dating back to 2007. group uses an extensive malware toolset that includes a backdoor program called Winnti and has used a variety of attack vectors in its campaigns over the years, including software-based supply chain attacks from NetSarang, CCleaner and ASUS.

Winnti’s targeting often aligns with China’s geopolitical interests, and there is evidence that the group has acted as a contractor for Chinese government agencies that engage in cyber espionage, such as China’s Ministry of State Security ( MSS) and the People’s Liberation Army (PLA). In September 2020, the US DOJ charged three Chinese nationals and two Malaysian nationals in connection with the APT41 attacks. Three of them were involved in running a company called Chengdu 404 Network Technology which allegedly served as a front company for the group’s activities. Another Chinese hacker named Tan Dailin, linked to APT41, was indicted in 2019 and is on the FBI’s wanted list.

ERP Intrusion Investigation Reveals Operation CuckooBees

Cybereason discovered the Operation CuckooBees campaign in 2021 while investigating network intrusions at several businesses around the world. These intrusions started with hackers exploiting remote code execution vulnerabilities in a popular enterprise resource planning (ERP) platform and deploying JSP web shells (backdoors) on the ERP web application server . Some of the exploited vulnerabilities were known at the time of the attacks, but some or not, meaning the attackers used zero-day exploits.

After establishing this initial position, the attackers focused on establishing persistence, network reconnaissance, and flushing credentials that allowed them to move laterally to other Windows systems on the network.

After deploying web shells to allow command execution on ERP servers, the attackers also modified their configuration to enable WinRM, a Windows-native remote management protocol that allows remote shell access. This was done to ensure that access to servers is maintained even if web shells have been discovered and removed.

Attackers used several techniques and tools to flush locally stored credentials from the registry and decrypt password hashes. These credentials allowed lateral movement to other computers and the execution of malicious batch scripts via scheduled tasks.

How Operation CuckoBees Works: A Multi-Step Chain of Infection

The batch scripts were intended to launch a sophisticated and malicious infection chain that used several techniques to ensure persistence. The payload in the first stage of this chain that was deployed by the batch scripts consists of Spyder Loader, a known malware loader whose purpose is to decrypt and execute additional malware payloads in a stealth manner.

The loader itself was in the form of a modified SQLite3 DLL file that was executed through the native rundll32.exe and in turn loaded additional malicious payloads dropped as TLB files in the Windows system32 directory.

“After deploying the initial payload, Winnti uses a sophisticated and unique multi-step infection chain with numerous payloads,” Cybereason researchers said in their malware analysis. “Each payload fulfills a unique role in the infection chain, which only succeeds after all payloads are fully deployed.”

The next malicious payload is a program the researchers dubbed STASHLOG that is used to hide additional payloads in a Common Log File System (CLFS) log file. CLFS is a proprietary file system format used by Windows since Windows Server 2003 R2 to log certain errors or to store Transactional NTFS (TxF) and Transactional Registry (TxR) operations for the purpose of enabling restores. This feature is used by features such as Windows Update and System Restore.

“CLFS uses a proprietary file format that is undocumented and only accessible through CLFS API functions,” the researchers said. “At the time of writing, there are no tools capable of analyzing dumped logs. This is a huge advantage for attackers, as it makes it more difficult to examine and detect them when using the CLFS mechanism.”

While STASHLOG is used to store payloads in CLFS as encrypted data, another deployed malware called SPARKLOG is responsible for extracting and executing it. In fact, the purpose of SPARKLOG is to achieve privilege escalation by using DLL hijacking or sideloading techniques to trick legitimate Windows services that run with SYSTEM privileges into executing a malicious DLL extracted from the CLFS log. This malicious DLL is called PRIVATELOG and deploys in two different ways depending on the version of Windows. From Windows Vista to Windows 7, SPARKLOG modifies the configuration of the IKEEXT service to run PRIVATELOG as wlbsctrl.dll. From Windows Server 2012 to Windows 10, SPARKLOG modifies the Windows PrintNotify service configuration to run PRIVATELOG as prntvpt.dll.

Now running with SYSTEM privileges – the highest possible on a Windows machine – PRIVATELOG extracts another payload hidden by STASHLOG from the CLFS log data. This component, called DEPLOYLOG, is written to disk by overwriting a legitimate file called dbghelp.dll using Windows Transactional NTFS (TxF). TxF is a feature introduced in Windows Vista that allows developers to create, modify, and delete files in a way that allows those changes to be undone.

“By using Transactional NTFS, attackers can perform file operations using unconventional methods that may be difficult for some security products to detect,” Cybereason researchers explain.

DEPLOYLOG is a loader whose main purpose is to decrypt the final CLFS log data payload and hijack the AMD K8 processor kernel driver service to run as a system driver. That final payload is WINNKIT, a kernel-level rootkit that installs as a network driver that intercepts TCP/IP requests by talking directly to the system’s network card.

After deploying WINNKIT, DEPLOYLOG reverts the AMD K8 processor kernel driver service configuration to its original state to cover its tracks, and then begins communicating with the attackers’ command and control server. Essentially, DEPLOYLOG becomes a user-mode communication component that connects the WINNKIT rootkit to the C2 server.

WINNKIT is signed with an expired and possibly stolen digital certificate belonging to hardware manufacturer BenQ. This is used to bypass Driver Signature Enforcement (DSE), which is enabled by default on Windows and prevents the loading of drivers that are not digitally signed by a relying party. The problem is that DSE does not perform online checks for expired or revoked certificates, so drivers signed with the stolen certificate will continue to work until blacklisted via a Windows update. .

WINNKIT hooks the TCP/IP network communication via the network card which allows it to receive the commands sent by the agent in DEPLOYLOG user mode. These commands trigger the execution of additional modules that are injected by the rootkit into the svchost.exe process. These modules allow running a CMD shell with administrator privileges, listing files, listing services, stopping processes, opening a SOCKS5 communication proxy or enabling protocol RDP (Remote Desktop Protocol).

WINNKIT’s build date is 2019, which suggests that the rootkit has been in use for 3 years. The sophisticated infection chain and the use of various advanced techniques likely allowed the attack campaign to fly under the radar.

“Malware authors have chosen to divide the infection chain into several interrelated phases, where each phase builds on the previous one to execute properly,” the researchers said. “This demonstrates the thought and effort that has gone into both malware and operational security considerations, making analysis nearly impossible unless all the pieces of the puzzle are put together in the correct order. Additionally, the rare abuse of the Windows system’s own CLFS logging and NTFS manipulations provided attackers with additional stealth and the ability to remain undetected for years.”

Copyright © 2022 IDG Communications, Inc.


About Author

Comments are closed.