The China-linked risk actor known as Winnti has been linked to a recent campaign titled RevivalStone that targeted Asian businesses in the manufacturing, materials, and energy industries in March 2024.
The activity, by Chinese security firm LAC, overlaps with a risk grouping tracked by Trend Micro as , which has been assessed to be a set within the APT41 digital espionage group, by Cybereason under the name , and by Symantec as Blackfly.
has been described as a highly skilled and rigorous professional who can launch spy operations as well as poison the supply chain. Its campaigns are frequently executed with the intention of hiding, employing a variety of tactics to accomplish their objectives using a unique toolset that deviates from security software installed in the environment and creates subtle channels for continual remote access.
” The party’s spy activities, many of which are aligned with the government’s tactical objectives, have targeted a wide range of public and private sector areas around the world”, LAC said.
” The problems of this threat group are characterized by the use of Winnti malware, which has a unique rootkit that allows for the lying and manipulation of connections, as well as the use of stolen, genuine digital certificates in the trojan,” according to the report.
Winnti has been active since at least 2012, focusing primarily on manufacturing and materials-related organizations in Asia as of 2022. Recent campaigns targeting the Asia-Pacific ( APAC ) region have exploited weaknesses in public-facing applications like IBM Lotus Domino to deploy malware as follows.
- A passive CGI backdoor that allows file creation and execution is DEATHLOTUS.
- UNAPIMON is a defense evasion utility written in C++.
- PRIVATELOG– A loader that’s used to drop Winnti RAT (aka ) which, in turn, delivers a kernel-level rootkit named WINNKIT by means of a rootkit installer
- A backdoor called CUNNINGPIGEON uses Microsoft Graph API to extract commands from mail messages that include custom proxy, file and process management, and file and proxy.
- WINDJAMMER is a rootkit that can intercept TCPIP network interface and establish covert channels between intrusive devices.
- A passive backdoor known as SHADOWGAZE recurs the listening port from an IIS web server
An unspecified enterprise resource planning ( ERP ) system has been uncovered to use an SQL injection vulnerability to drop web shells like China Chopper and Behinder ( also known as Bingxia and IceScorpion ) on the compromised server to carry out reconnaissance, gather lateral movement credentials, and deliver an improved version of the Winnti malware.
According to reports, the intrusion’s scope was further extended to include a managed service provider ( MSP) by leveraging a shared account before using a shared account to further spread the malware to three other businesses.
In the RevivalStone campaign, LAC claimed to find references to and StoneV5, both of which are controllers made for the Winnti malware and were also used in the I-Soon (aka Anxun ) leak in connection with a Linux malware control panel.
Researchers Takuma Matsumoto and Yoshihiro Ishikawa said,” If TreadStone has the same meaning as the Winnti malware, it is only speculation, but StoneV5 could also mean Version 5, and it’s possible that the malware used in this attack is Winnti v5.0.
It is possible that this attacker group will continue to update the Winnti malware’s functions and use it in attacks because the new Winnti malware has features like obfuscation, updated encryption algorithms, and evasion by security products.
The disclosure comes as Fortinet FortiGuard Labs revealed a Linux-based attack suite known as SSHDInjector that has been trained to infect network appliances with malware to allow for persistent access and covert actions since November 2024.
The malware suite, associated with another Chinese nation-state hacking group known as (aka Bronze Highland and Evasive Panda ), is engineered for data exfiltration, listening for incoming instructions from a remote server to enumerate running processes and services, perform file operations, launch terminal, and execute terminal commands.