Thursday, December 5, 2024
HomeCyber AttackChinese Winnti Group Intensifies Financially Motivated Attacks

Chinese Winnti Group Intensifies Financially Motivated Attacks

Published on

SIEM as a Service

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential of monetizing the stolen data, ransoms, and fraudulent activities.

The digital revolution of businesses has invented more openings to exploit financial transactions and access sensitive financial information.

AttackIQ recently unveiled that the Chinese Winnti group intensifies financially motivated attacks.

- Advertisement - SIEM as a Service

Winnti is an established cyber-espionage and financial-gain group linked to the Chinese government since 2010.

Their healthcare targeting activities were ramped up during COVID-19, with medical research as their main objective.

They are known for supply chain attacks and use ShadowPad which is their signature backdoor, as well as PlugX RAT.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Winnti’s Operation CuckooBees (2022-05) proceeds in multiple stages. 

Operation CuckooBees stages (Source – AttackIQ)

Here below we have mentioned those stages:- 

  • Malware execution and local discovery post-Webshell deployment, using VBScript for system reconnaissance. 
  • Local credential dumping via registry hive extraction and Mimikatz. 
  • Extensive local and network reconnaissance, gathering detailed system and network information. 
  • Deployment of Winnti malware arsenal, including SpiderLoader and Stashlog. 
  • Additional tooling rollout, involving GUID retrieval, Privatelog deployment via DLL side-loading, lateral movement through RDP, and data exfiltration via HTTP. 

Winnti’s Operation Harvest (2021-09)

Operation Harvest stages (Source – AttackIQ)

Here below we have mentioned them:-

  • PlugX Delivery via RAR file, using DLL side-loading and code injection for execution and persistence. 
  • Local Credential Dumping using Mimikatz. 
  • Winnti Backdoor Deployment, employing RunDLL32 and creating a new service for persistence. 
  • Data Staging, involving extensive system and network discovery. 
  • Data Exfiltration, staging collected data, and exfiltrating via encrypted C2 channel. 

Winnti’s 2022-08 Campaign

Campaign Targeting Government Entities stages (Source – AttackIQ)

This campaign contains multiple stages, and here below we have mentioned them:- 

  • Malware delivery is via DBoxAgent’s ISO file, and files are dropped and executed through DLL side-loading. 
  • Local System Discovery, gathering network and system information for HTTPS exfiltration. 
  • SerialVlogger and KeyPlug Deployment, utilizing DLL side-loading for SerialVlogger execution, conducting system discovery, and deploying KeyPlug malware through code injection.

Each stage employs specific MITRE ATT&CK techniques for system infiltration, reconnaissance, and malware deployment.

Mitigations

There are four critical techniques used by Winnti that need to be focused on:-

  • Scheduled Task abuse, detectable via EDR/SIEM monitoring of specific command lines. Mitigate through auditing and account management. 
  • DLL Side-Loading, identifiable by monitoring uncommon process actions and DLL/PE file events. Mitigate via software updates and developer guidance. 
  • Windows Service manipulation, detectable through specific command line monitoring. Mitigate with endpoint behavior prevention and user account management. 
  • System Binary Proxy Execution (Rundll32/Regsvr32), identifiable by unusual execution patterns. Mitigate using exploit protection. 

Continuous testing with these attack graphs helps improve the security control posture against this Chinese government-linked threat actor.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...