Researchers from Cybereason have uncovered a new espionage campaign that’s been active for at least three years and includes new malware strains, rarely-seen abuse of certain Windows features, and a “complex infection chain”.

According to the company’s report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia since, at least, 2019.

The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. The researchers believe the attackers stole hundreds of gigabytes of valuable intel.

Rarely seen abuse

This data also helped the attackers map out their victims’ networks, organizational structure, as well as endpoints, giving them a head start, should they decide to escalate things further (for example, with ransomware).

In its campaign, Winnti advanced persistent threat actor deployed new versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but it also deployed previously unknown malware – DEPLOYLOG.

To deploy the malware, the group opted for a “rarely seen” abuse of the Windows CLFS Feature, the researchers said. Apparently, the group leveraged the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide the payloads and evade being detected by security products.

The payload delivery itself was described as “intricate and interdependent”, resembling a house of cards. As a result, it was very difficult for researchers to analyze each component separately. 

Still, they managed to piece the puzzle together, and are claiming the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that “stashes” payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there’s WINNKIT, the Winnti kernel-level rootkit.

Defend your premises from Chinese spies with the best firewalls around

Reshared from

Source: Read More