Winnti Hackers Attacking Japanese Organisations with New Malware

The China-based Advanced Persistent Threat (APT) group known as the Winnti Group, also referred to as APT41, has launched a new cyberattack campaign targeting Japanese organizations in the manufacturing, materials, and energy sectors.

Dubbed “RevivalStone,” this campaign employs a novel version of the infamous Winnti malware, showcasing enhanced capabilities and sophisticated evasion techniques.

The attack was first identified in March 2024 by LAC’s Cyber Emergency Center and has since been analyzed in detail.

The findings were presented at prominent cybersecurity conferences, including Virus Bulletin 2024 and the Threat Analyst Summit 2024.

RevivalStone Campaign

The RevivalStone campaign begins with exploiting SQL injection vulnerabilities in web-facing ERP systems.

Through this entry point, attackers deploy web shells such as “China Chopper,” “Behinder,” and “sqlmap file uploader” to establish initial access.

These tools facilitate reconnaissance, credential harvesting, and lateral movement within the targeted networks.

Once inside, the attackers deploy an updated version of the Winnti malware.

This advanced malware includes a rootkit for stealthy persistence and uses encrypted communication channels to avoid detection.

The attackers also leveraged compromised accounts from managed service providers (MSPs) to infiltrate interconnected networks, amplifying the campaign’s impact across multiple organizations.

Enhanced Malware Capabilities

The new variant of Winnti malware observed in RevivalStone incorporates several advanced features:

• Encryption Improvements: The malware employs AES and ChaCha20 encryption algorithms for securing its payloads and communications.
• Device-Specific Decryption Keys: Unique identifiers such as IP addresses and MAC addresses are used to generate decryption keys, complicating analysis.
• Rootkit Deployment: The malware installs a kernel-level rootkit to intercept TCP/IP communications, enabling covert data exfiltration.
• Evasion Techniques: Obfuscated code and DLL hijacking techniques are used to bypass endpoint detection and response (EDR) systems.

The Winnti Group has a long history of cyberespionage campaigns aligned with Chinese state interests.

Their activities often target intellectual property and sensitive data across industries such as gaming, pharmaceuticals, aerospace, and now critical infrastructure in Japan.

The group’s use of stolen digital certificates and advanced persistence mechanisms underscores its sophistication.

This campaign demonstrates the growing threat posed by state-sponsored cyber actors targeting supply chains and critical infrastructure.

Organizations are urged to strengthen their cybersecurity defenses by patching vulnerabilities, monitoring for indicators of compromise (IoCs), and implementing robust access controls.

As cyber threats evolve, it is crucial for businesses to adopt multi-layered security strategies to mitigate risks associated with advanced APT campaigns like RevivalStone.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free