Chinese hackers have been running riot on unsecured Windows devices
State-sponsored actors stealing proprietary data, experts warn
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Researchers from Cybereason have uncovered a new espionage campaign that’s been active for at least three years and includes newmalwarestrains, rarely-seen abuse of certain Windows features, and a “complex infection chain”.
According to the company’s report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia since, at least, 2019.
The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. The researchers believe the attackers stole hundreds of gigabytes of valuableintel.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
Rarely seen abuse
This data also helped the attackers map out their victims’ networks, organizational structure, as well asendpoints, giving them a head start, should they decide to escalate things further (for example, with ransomware).
In its campaign, Winnti advanced persistent threat actor deployed new versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but it also deployed previously unknown malware - DEPLOYLOG.
To deploy the malware, the group opted for a “rarely seen” abuse of the Windows CLFS Feature, the researchers said. Apparently, the group leveraged the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide the payloads and evade being detected by security products.
Indian power grid reportedly hit by Chinese cyberattacks>Google says Chinese hackers are targeting US government Gmail accounts>China says Walmart has some serious security flaws
The payload delivery itself was described as “intricate and interdependent”, resembling a house of cards. As a result, it was very difficult for researchers to analyze each component separately.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Still, they managed to piece the puzzle together, and are claiming the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that “stashes” payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there’s WINNKIT, the Winnti kernel-level rootkit.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
The Apple Watch is helping Afib patients ditch blood thinners in a ground-breaking trial
