Chinese APT group Winnti stole trade secrets in years-long undetected campaign

Security researchers have uncovered a cyberespionage campaign that has remained largely undetected since 2019 and focused on stealing trade secrets and other intellectual property from technology and manufacturing companies across the world. The campaign uses previously undocumented malware and is attributed to a Chinese state-sponsored APT group known as Winnti.

“With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information,” researchers from security firm Cybereason said in a new report. “The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.”

Cybereason, who shared its findings with the U.S. Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), dubbed the cyberespionage campaign Operation CuckooBees and identified victims in Asia, Europe and North America.

Who is Winnti?

Winnti, also tracked in the security industry as APT41, Axiom, Barium, Wicked Panda and other names, is one of the longest-running Chinese cyberespionage groups with its malicious activities going as far back as 2007. The group uses a large malware toolset which includes a backdoor program called Winnti and has used a variety of attack vectors in its campaigns over the years, including software supply-chain attacks via software from NetSarang, CCleaner and ASUS.

Winnti’s targeting often matches China’s geopolitical interests and there is evidence the group acted as contractor for Chinese government agencies that engage in cyberespionage, such as China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA). In September 2020, the U.S. DOJ indicted three Chinese and two Malaysian nationals in connection with APT41 attacks. Three of them were involved in the management of a company called Chengdu 404 Network Technology that was allegedly serving as a front company for the group’s activities. Another Chinese hacker named Tan Dailin, linked to APT41, was indicted in 2019 and is on the FBI’s wanted list.

ERP intrusion investigation revealed Operation CuckooBees

Cybereason uncovered the Operation CuckooBees campaign in 2021 while investigating network intrusions at multiple companies around the world. Those intrusions began with hackers exploiting remote code execution vulnerabilities in a popular enterprise resource planning (ERP) platform and deploying JSP Web shells (backdoors) on the ERP web application server. Some of the vulnerabilities exploited were known at the time of the attacks, but some or not, meaning the attackers used zero-day exploits.

After establishing this initial foothold, the attackers shifted their focus to establishing persistence, performing network reconnaissance, and dumping credentials that allowed them to move laterally to other Windows systems in the network.

After deploying Web shells to enable command execution on the ERP servers, the attackers also changed their configuration to enable WinRM, a Windows native remote management protocol that allows remote shell access. This was done to ensure that access to the servers is maintained even if the web shells were discovered and removed.

The attackers used several techniques and tools to dump locally stored credentials from the registry and crack the password hashes. These credentials enabled lateral movement to other computers and the execution of malicious batch scripts through scheduled tasks.

How Operation CuckoBees works: A multi-staged infection chain

The batch scripts had the purpose of initiating a sophisticated and malware infection chain that used multiple techniques to achieve persistence. The first stage payload in this chain that was deployed by the batch scripts consists of Spyder Loader, a known malware loader whose goal is to decrypt and execute additional malware payloads in a stealthy way.

The loader itself came in the form of a modified SQLite3 DLL file that was executed through the native rundll32.exe and in turn loaded additional malicious payloads dropped as TLB files in the Windows system32 directory.

“After deploying the initial payload, Winnti employs a sophisticated and unique multi-staged infection chain with numerous payloads,” the Cybereason researchers said in their malware analysis. “Each payload fulfills a unique role in the infection chain, which is successful only upon the complete deployment of all of the payloads.”

The next malicious payload is a program that researchers dubbed STASHLOG that’s used to hide additional payloads in a Common Log File System (CLFS) log file. CLFS is a proprietary file system format used by Windows since Windows Server 2003 R2 to log certain errors or and store Transactional NTFS (TxF) and Transactional Registry (TxR) operations with the purpose of allowing roll backs. This capability is used by features such as Windows Update and System Restore.

“CLFS employs a proprietary file format that isn’t documented, and can only be accessed through the CLFS API functions,” the researchers said. “As of writing this report, there is no tool which can parse the flushed logs. This is a huge benefit for attackers, as it makes it more difficult to examine and detect them while using the CLFS mechanism.”

While STASHLOG is used to stash payloads inside CLFS as encrypted data, another deployed malicious program dubbed SPARKLOG is responsible for extracting and executing it. In fact, SPARKLOG’s purpose is to gain privilege escalation by using DLL hijacking or side-loading techniques to trick legitimate Windows services that run with SYSTEM privileges to execute a malicious DLL extracted from the CLFS log. This malicious DLL is dubbed PRIVATELOG and is deployed in two different ways depending on the Windows version. On Windows Vista to Windows 7, SPARKLOG changes the configuration of the IKEEXT service to execute PRIVATELOG as wlbsctrl.dll. From Windows Server 2012 to Windows 10, SPARKLOG modifies the configuration of the Windows PrintNotify service to execute PRIVATELOG as prntvpt.dll.

Now running with SYSTEM privileges — the highest possible on a Windows machine — PRIVATELOG extracts another payload hidden by STASHLOG in the CLFS log data. This component, dubbed DEPLOYLOG, is written to disk by overwriting a legitimate file called dbghelp.dll using Windows Transactional NTFS (TxF). TxF is a feature introduced in Windows Vista that allows developers to create, edit and delete files in a way that allows those changes to be rolled back.

“Using Transactional NTFS, the attackers can perform file operations using unconventional methods that can be hard to detect for some security products,” the Cybereason researchers say.

DEPLOYLOG is a loader whose main purpose is to decrypt the final payload from CLFS log data and hijack the AMD K8 processor kernel driver service to execute it as a system driver. This final payload is WINNKIT, a kernel-level rootkit that installs itself as a network driver that intercepts TCP/IP requests by talking directly to the system’s network card.

After deploying WINNKIT, DEPLOYLOG reverts the configuration of the AMD K8 processor kernel driver service to its original state to cover its tracks then begins communicating with the attackers’ command-and-control server. Essentially, DEPLOYLOG becomes a user-mode communication component that bridges the WINNKIT rootkit to the C2 server.

WINNKIT is signed with an expired and likely stolen digital certificate belonging to hardware manufacturer BenQ. This is used to bypass the driver signature enforcement (DSE), which is enabled by default on Windows and prevents loading drivers that are not digitally signed by a trusted party. The problem is DSE does not perform online checks for expired or revoked certificates so drivers signed with the stolen certificate will continue to work until blacklisted via a Windows update.

WINNKIT hooks TCP/IP network communication via the network card which allows it to receive commands sent by the DEPLOYLOG user-mode agent. These commands trigger the execution of additional modules that are injected by the rootkit into the svchost.exe process. These modules allow the execution of a CMD shell with administrator privileges, list files, list services, kill processes, open a SOCKS5 communication proxy or enabling Remote Desktop Protocol (RDP).

The WINNKIT compilation date is 2019 suggesting the rootkit has been used for the past 3 years. The sophisticated infection chain and use of various advanced techniques likely allowed the attack campaign to fly under the radar.

“The malware authors chose to break the infection chain into multiple interdependent phases, where each phase relies on the previous one in order to execute correctly,” the researchers said. “This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order. Furthermore, the rare abuse of the Windows’ own CLFS logging system and NTFS manipulations provided the attackers with extra stealth and the ability to remain undetected for years.”