Saturday, July 20, 2024

Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential of monetizing the stolen data, ransoms, and fraudulent activities.

The digital revolution of businesses has invented more openings to exploit financial transactions and access sensitive financial information.

AttackIQ recently unveiled that the Chinese Winnti group intensifies financially motivated attacks.

Winnti is an established cyber-espionage and financial-gain group linked to the Chinese government since 2010.

Their healthcare targeting activities were ramped up during COVID-19, with medical research as their main objective.

They are known for supply chain attacks and use ShadowPad which is their signature backdoor, as well as PlugX RAT.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Winnti’s Operation CuckooBees (2022-05) proceeds in multiple stages. 

Operation CuckooBees stages (Source – AttackIQ)

Here below we have mentioned those stages:- 

  • Malware execution and local discovery post-Webshell deployment, using VBScript for system reconnaissance. 
  • Local credential dumping via registry hive extraction and Mimikatz. 
  • Extensive local and network reconnaissance, gathering detailed system and network information. 
  • Deployment of Winnti malware arsenal, including SpiderLoader and Stashlog. 
  • Additional tooling rollout, involving GUID retrieval, Privatelog deployment via DLL side-loading, lateral movement through RDP, and data exfiltration via HTTP. 

Winnti’s Operation Harvest (2021-09)

Operation Harvest stages (Source – AttackIQ)

Here below we have mentioned them:-

  • PlugX Delivery via RAR file, using DLL side-loading and code injection for execution and persistence. 
  • Local Credential Dumping using Mimikatz. 
  • Winnti Backdoor Deployment, employing RunDLL32 and creating a new service for persistence. 
  • Data Staging, involving extensive system and network discovery. 
  • Data Exfiltration, staging collected data, and exfiltrating via encrypted C2 channel. 

Winnti’s 2022-08 Campaign

Campaign Targeting Government Entities stages (Source – AttackIQ)

This campaign contains multiple stages, and here below we have mentioned them:- 

  • Malware delivery is via DBoxAgent’s ISO file, and files are dropped and executed through DLL side-loading. 
  • Local System Discovery, gathering network and system information for HTTPS exfiltration. 
  • SerialVlogger and KeyPlug Deployment, utilizing DLL side-loading for SerialVlogger execution, conducting system discovery, and deploying KeyPlug malware through code injection.

Each stage employs specific MITRE ATT&CK techniques for system infiltration, reconnaissance, and malware deployment.


There are four critical techniques used by Winnti that need to be focused on:-

  • Scheduled Task abuse, detectable via EDR/SIEM monitoring of specific command lines. Mitigate through auditing and account management. 
  • DLL Side-Loading, identifiable by monitoring uncommon process actions and DLL/PE file events. Mitigate via software updates and developer guidance. 
  • Windows Service manipulation, detectable through specific command line monitoring. Mitigate with endpoint behavior prevention and user account management. 
  • System Binary Proxy Execution (Rundll32/Regsvr32), identifiable by unusual execution patterns. Mitigate using exploit protection. 

Continuous testing with these attack graphs helps improve the security control posture against this Chinese government-linked threat actor.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles