Cybereason published detailed research into the Winnti group, including what it believes is the first full view of an infection chain utilizing previously unknown malware, used in espionage campaigns.
"Mandiant and ESET both published either reports or tweets (in the case of ESET) about some of these components, but they didn't see the full picture. We're the first, to best of my knowledge, to really see the entire attack," said Assaf Dahan, senior director and head of threat research at Cybereason.
The company briefed the Federal Bureau of Investigation on its findings earlier this month.
Winnti is a long-running hacking operation engaged in criminal and nation-state activities. As an espionage group, Winnti has long been connected to China, including when seven members of the group were indicted in 2020.
The Cybereason research comes from several investigations of Winnti trying to steal intellectual property from technology and manufacturing firms in East Asia, Western Europe, and North America. The campaign, which Cybereason has dubbed "Operation Cuckoo Bees," dates back at least to 2019.
Cybereason became aware of the campaign in 2021 investigating a breach at an Asian firm with annual revenue of $5 billion. They found 30 other attacks in total, and estimate the value of potential stolen intellectual property in the trillions of dollars.
Winnti entered networks using vulnerabilities in ERP. The group would then search for a .DLL used in previous attacks, followed by installing boatloads of web shells ("We found 20 plus on servers," said Dahan).
Through a multi-stage infection chain, Winnti installed an updated version of its Winnkit root kit, which Cybereason profiled for the first time in its report. A previous version of Winnkit was profiled in 2019. The new one, in use since at least 2019, has been extremely stealthy.
"It's a type of rootkit really designed for stealth. There's one hash that we give them, as an example, we have submitted VirusTotal from almost a year ago up until this very day. I think only one vendor labeled it as malicious — one out of 68," he said.
The infection chain requires multiple components to deploy successfully. At the beginning of the attack, Winnti installs the backdoor Spyder. The installer Stashlog (recently detailed by Mandiant) establishes Windows CLFS for use in storing and unloading payloads. Sparklog (recently detailed by ESET) extracts PrivateLog (also detailed by Mandiant) through CLFS, and is then used to execute it. PrivateLog launches DeployLog, which installs Winnkit and later communicates with the command and control servers.
"All those steps are interdependent. In order for Winnkit to be installed, they have to run in a specific order. We call it a house of cards," said Dahan.
Windows CLFS (common log file system) is what Dahan describes as a not particularly well-documented feature of Windows. Routing attacks through it is rare, he said.
The exfiltration tactic used by the group involves compressing files, giving Cybereason a sense of what was being stolen and reason to believe this was an espionage campaign rather than a criminal one.
Winnti is a broad label for a threat actor that seems to have many smaller components — Cybereason tracks at least 10 different clusters of activity, and "every researcher will define them differently," said Dahan. There may be other infection chains dependent on the group.
Indicators of compromise and other detection information is available in Cybereason's report.