Tuesday, November 12, 2024
HomeCyber AttackChinese Winnti Group Intensifies Financially Motivated Attacks

Chinese Winnti Group Intensifies Financially Motivated Attacks

Published on

Malware protection

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential of monetizing the stolen data, ransoms, and fraudulent activities.

The digital revolution of businesses has invented more openings to exploit financial transactions and access sensitive financial information.

AttackIQ recently unveiled that the Chinese Winnti group intensifies financially motivated attacks.

- Advertisement - SIEM as a Service

Winnti is an established cyber-espionage and financial-gain group linked to the Chinese government since 2010.

Their healthcare targeting activities were ramped up during COVID-19, with medical research as their main objective.

They are known for supply chain attacks and use ShadowPad which is their signature backdoor, as well as PlugX RAT.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Winnti’s Operation CuckooBees (2022-05) proceeds in multiple stages. 

Operation CuckooBees stages (Source – AttackIQ)

Here below we have mentioned those stages:- 

  • Malware execution and local discovery post-Webshell deployment, using VBScript for system reconnaissance. 
  • Local credential dumping via registry hive extraction and Mimikatz. 
  • Extensive local and network reconnaissance, gathering detailed system and network information. 
  • Deployment of Winnti malware arsenal, including SpiderLoader and Stashlog. 
  • Additional tooling rollout, involving GUID retrieval, Privatelog deployment via DLL side-loading, lateral movement through RDP, and data exfiltration via HTTP. 

Winnti’s Operation Harvest (2021-09)

Operation Harvest stages (Source – AttackIQ)

Here below we have mentioned them:-

  • PlugX Delivery via RAR file, using DLL side-loading and code injection for execution and persistence. 
  • Local Credential Dumping using Mimikatz. 
  • Winnti Backdoor Deployment, employing RunDLL32 and creating a new service for persistence. 
  • Data Staging, involving extensive system and network discovery. 
  • Data Exfiltration, staging collected data, and exfiltrating via encrypted C2 channel. 

Winnti’s 2022-08 Campaign

Campaign Targeting Government Entities stages (Source – AttackIQ)

This campaign contains multiple stages, and here below we have mentioned them:- 

  • Malware delivery is via DBoxAgent’s ISO file, and files are dropped and executed through DLL side-loading. 
  • Local System Discovery, gathering network and system information for HTTPS exfiltration. 
  • SerialVlogger and KeyPlug Deployment, utilizing DLL side-loading for SerialVlogger execution, conducting system discovery, and deploying KeyPlug malware through code injection.

Each stage employs specific MITRE ATT&CK techniques for system infiltration, reconnaissance, and malware deployment.

Mitigations

There are four critical techniques used by Winnti that need to be focused on:-

  • Scheduled Task abuse, detectable via EDR/SIEM monitoring of specific command lines. Mitigate through auditing and account management. 
  • DLL Side-Loading, identifiable by monitoring uncommon process actions and DLL/PE file events. Mitigate via software updates and developer guidance. 
  • Windows Service manipulation, detectable through specific command line monitoring. Mitigate with endpoint behavior prevention and user account management. 
  • System Binary Proxy Execution (Rundll32/Regsvr32), identifiable by unusual execution patterns. Mitigate using exploit protection. 

Continuous testing with these attack graphs helps improve the security control posture against this Chinese government-linked threat actor.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...