An elusive and complex cyberespionage marketing campaign orchestrated by the China-backed Winnti group has managed to fly beneath the radar since at the least 2019.
Dubbed “Operation CuckooBees” by Israeli cybersecurity firm Cybereason, the large mental property theft operation enabled the risk actor to exfiltrate tons of of gigabytes of knowledge.
Targets included know-how and manufacturing firms primarily positioned in East Asia, Western Europe, and North America.
“The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” the researchers mentioned.
“In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.”
Winnti, additionally tracked by different cybersecurity distributors beneath the names APT41, Axiom, Barium, and Bronze Atlas, is thought to be energetic since at the least 2007.
“The group’s intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors,” Secureworks notes in a risk profile of the actor.
The multi-phased an infection chain documented by Cybereason entails the exploitation of internet-facing servers to deploy an internet shell with the purpose of conducting reconnaissance, lateral motion, and data exfiltration actions.
It’s each advanced and complex, following a “house of cards” method in that every element of the killchain will depend on different modules in an effort to operate, rendering evaluation exceedingly troublesome.
“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order,” the researchers defined.
The data harvesting is facilitated by way of a modular loader known as Spyder, which is used to decrypt and cargo extra payloads. Also used are 4 totally different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — which can be sequentially deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the marketing campaign is the usage of “rarely seen” strategies such because the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to hide their payloads and evade detection by conventional safety merchandise.
Interestingly, elements of the assault sequence had been beforehand detailed by Mandiant in September 2021, whereas mentioning the misuse of CLFS to cover second-stage payloads in an try to bypass detection.
The cybersecurity agency attributed the malware to an unknown actor, however cautioned that it may have been deployed as a part of a extremely focused exercise.
“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files,” Mandiant mentioned on the time. “This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions.”
WINNKIT, for its half, has a compilation timestamp of May 2019 and has nearly zero detection charge in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to remain undiscovered for years.
The final purpose of the intrusions, the researchers assessed, is to siphon proprietary data, analysis paperwork, supply code, and blueprints for varied applied sciences.
“Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests,” Cybereason mentioned. “The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long.”