An elusive and sophisticated cyberespionage campaign
orchestrated by the China-backed Winnti group has managed to fly
under the radar since at least 2019.
Dubbed “Operation CuckooBees” by Israeli cybersecurity
company Cybereason, the massive intellectual property theft
operation enabled the threat actor to exfiltrate hundreds of
gigabytes of information.
Targets included technology and manufacturing companies
primarily located in East Asia, Western Europe, and North
America.
“The attackers targeted intellectual property developed by the
victims, including sensitive documents, blueprints, diagrams,
formulas, and manufacturing-related proprietary data,” the
researchers said[1].
“In addition, the attackers collected information that could be
used for future cyberattacks, such as details about the target
company’s business units, network architecture, user accounts and
credentials, employee emails, and customer data.”
Winnti, also tracked by other cybersecurity vendors under the
names APT41, Axiom, Barium, and Bronze Atlas, is known to be active
since at least 2007.
“The group’s intent is towards theft of intellectual property
from organizations in developed economies, and with moderate
confidence that this is on behalf of China to support decision
making in a range of Chinese economic sectors,” Secureworks
notes[2]
in a threat profile of the actor.
The multi-phased infection chain documented by Cybereason
involves the exploitation of internet-facing servers to deploy a
web shell with the goal of conducting reconnaissance, lateral
movement, and data exfiltration activities.
It’s both complex and intricate, following a “house of cards”
approach in that each component of the killchain depends on other
modules in order to function, rendering analysis exceedingly
difficult.
“This demonstrates the thought and effort that was put into both
the malware and operational security considerations, making it
almost impossible to analyze unless all pieces of the puzzle are
assembled in the correct order,” the researchers explained.
The data harvesting is facilitated by means of a modular loader
called Spyder, which is used to decrypt and load additional
payloads. Also used are four different payloads — STASHLOG,
SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially
deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the campaign is the use of
“rarely seen” techniques such as the abuse of Windows Common Log
File System (CLFS[3]) mechanism to stash the
payloads, enabling the hacking group to conceal their payloads and
evade detection by traditional security products.
Interestingly, parts of the attack sequence were previously
detailed by Mandiant in September 2021, while pointing out the
misuse of CLFS to hide second-stage payloads in an attempt to
circumvent detection.
The cybersecurity firm attributed the malware to an unknown
actor, but cautioned that it could have been deployed as part of a
highly targeted activity.
“Because the file format is not widely used or documented, there
are no available tools that can parse CLFS log files,” Mandiant
said[4]
at the time. “This provides attackers with an opportunity to hide
their data as log records in a convenient way, because these are
accessible through API functions.”
WINNKIT, for its part, has a compilation timestamp of May 2019
and has almost zero detection rate[5]
in VirusTotal, highlighting the evasive nature of the malware that
enabled the authors to stay undiscovered for years.
The ultimate goal of the intrusions, the researchers assessed,
is to siphon proprietary information, research documents, source
code, and blueprints for various technologies.
“Winnti is one of the most industrious groups operating on
behalf of Chinese state-aligned interests,” Cybereason said. “The
threat [actor] employed an elaborate, multi-stage infection chain
that was critical to enabling the group to remain undetected for so
long.”
References
Read more https://thehackernews.com/2022/05/chinese-hackers-caught-stealing.html