Chinese Winnti Group Intensifies Financially Motivated Attacks

Hackers are increasingly executing financially motivated attacks and all due to the lucrative potential of monetizing the stolen data, ransoms, and fraudulent activities.

The digital revolution of businesses has invented more openings to exploit financial transactions and access sensitive financial information.

AttackIQ recently unveiled that the Chinese Winnti group intensifies financially motivated attacks.

Winnti is an established cyber-espionage and financial-gain group linked to the Chinese government since 2010.

Their healthcare targeting activities were ramped up during COVID-19, with medical research as their main objective.

They are known for supply chain attacks and use ShadowPad which is their signature backdoor, as well as PlugX RAT.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Winnti’s Operation CuckooBees (2022-05) proceeds in multiple stages. 

Here below we have mentioned those stages:- 

• Malware execution and local discovery post-Webshell deployment, using VBScript for system reconnaissance.
• Local credential dumping via registry hive extraction and Mimikatz.
• Extensive local and network reconnaissance, gathering detailed system and network information.
• Deployment of Winnti malware arsenal, including SpiderLoader and Stashlog.
• Additional tooling rollout, involving GUID retrieval, Privatelog deployment via DLL side-loading, lateral movement through RDP, and data exfiltration via HTTP.

Winnti’s Operation Harvest (2021-09)

Here below we have mentioned them:-

• PlugX Delivery via RAR file, using DLL side-loading and code injection for execution and persistence.
• Local Credential Dumping using Mimikatz.
• Winnti Backdoor Deployment, employing RunDLL32 and creating a new service for persistence.
• Data Staging, involving extensive system and network discovery.
• Data Exfiltration, staging collected data, and exfiltrating via encrypted C2 channel.

Winnti’s 2022-08 Campaign

This campaign contains multiple stages, and here below we have mentioned them:- 

• Malware delivery is via DBoxAgent’s ISO file, and files are dropped and executed through DLL side-loading.
• Local System Discovery, gathering network and system information for HTTPS exfiltration.
• SerialVlogger and KeyPlug Deployment, utilizing DLL side-loading for SerialVlogger execution, conducting system discovery, and deploying KeyPlug malware through code injection.

Each stage employs specific MITRE ATT&CK techniques for system infiltration, reconnaissance, and malware deployment.

Mitigations

There are four critical techniques used by Winnti that need to be focused on:-

• Scheduled Task abuse, detectable via EDR/SIEM monitoring of specific command lines. Mitigate through auditing and account management.
• DLL Side-Loading, identifiable by monitoring uncommon process actions and DLL/PE file events. Mitigate via software updates and developer guidance.
• Windows Service manipulation, detectable through specific command line monitoring. Mitigate with endpoint behavior prevention and user account management.
• System Binary Proxy Execution (Rundll32/Regsvr32), identifiable by unusual execution patterns. Mitigate using exploit protection.

Continuous testing with these attack graphs helps improve the security control posture against this Chinese government-linked threat actor.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free