Chinese hackers abuse ‘seldom seen’ Windows mechanism in three-year campaign

Researchers have uncovered a sophisticated Winnti cyber campaign that abuses Windows mechanics in a “seldom seen” way.

According to Cybereason, the Chinese persistent threat group Winnti (APT) is behind the years-undetected campaign.

Operating since at least 2010, Winnti is a threat suite that operates using a wide range of malware and tools at its disposal. APT, also known as APT41, BARIUM or Blackfly, is suspected of operating on behalf of the Chinese state and focusing on cyber espionage and data theft.

Previous attacks linked to the group include cyber attacks against video game developers, software vendors and universities in Hong Kong. Winnti also took advantage of the flaws of Microsoft Exchange Server ProxyLogon, along with other APTs, when the critical vulnerabilities were first announced.

In two reports published on Wednesday, Cybereason said the company briefed both the FBI and the US Department of Justice (DoJ) on the APT campaign, which has been active since 2019 but only recently came to light.

According to cybersecurity researchers, covert attacks have focused on infiltrating technology networks and manufacturing companies in Europe, Asia and North America, with a focus on stealing sensitive proprietary information.

Dubbed Operation CuckooBees, a “multi-stage infection chain” has begun exploiting ERP vulnerabilities and deploying the Spyder bootloader. Some of the exploits were known, the researchers say, but others were also zero-day vulnerabilities.

Once in the enterprise system, Webshell, made up of simple code posted on Chinese language websites, is dropped to maintain stability.

Additionally, Winnti tampers with WinRM over HTTP/HTTPS, the IKEEXT and PrintNotify Windows services, to create backup persistence mechanisms and load Winnti DLLs.

The group then performs a detailed survey of the operating system, network, and user files, before attempting to crack passwords locally using credential-sinking techniques and tools.

Remote scheduled tasks are used to attempt to move horizontally across networks.

Of particular note is Winnti’s use of Stashlog, a malware designed to abuse the Microsoft Windows Common Log File System (CLFS).

Stashlog handles NTFS processes (TxF) and CLFS transaction log (TxR) processes. The executable stores the payload in the CLFS log file as part of the infection chain.

“Attacks have taken advantage of the Windows CLFS mechanism and tampered with NTFS transactions, allowing them to hide their payloads and avoid detection by traditional security products,” says Cybereason, adding that abuse of CLFS is “seldom seen.”

After Stashlog activities, APT will then use various tools, including Sparklog, Privatelog, and Deploylog. These malware variants extract data from the CLFS registry, escalate privileges, enable more stability, and will deploy a Winnkit rootkit – which acts as a kernel-mode proxy to intercept TCP/IP requests.

As the investigation into the Winnti campaign continues, the cybersecurity firm has only been able to share partial indicators of settlement (IoCs).

“Perhaps one of the most interesting things to note is the complex and multi-stage infection chain that Winty used,” the researchers say. “The malware authors chose to divide the infection chain into several interconnected phases, with each phase dependent on the previous one in order to execute correctly.

This illustrates the thought and effort that has gone into operational security and malware considerations, making them nearly impossible to analyze unless all the pieces of the puzzle are put together in the correct order.”

Previous and related coverage


Do you have a tip? Communicate securely via WhatsApp | Tag +447713 025499, or higher in Keybase: charlie0


Leave a Comment

Your email address will not be published.