An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed “Operation CuckooBees” by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
“The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” the researchers said.
“In addition, the Chinese hackers’ attacks collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.”
Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas is known to be active since at least 2007.
“The group’s intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors,” Secureworks notes in a threat profile of the actor.
The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.
It’s both complex and intricate, following a “house of cards” approach in that each component of the kill chain depends on other modules in order to function, rendering analysis exceedingly difficult.
“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order,” the researchers explained.
The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads. Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the campaign is the use of “rarely seen” techniques such as the abuse of the Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.
Read more: https://bit.ly/3w98Y2S
You can also read this: Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware