Eighty or more organizations around the world, including U.S. software development and hospitality entities, have been targeted by the Chinese hacking group Winnti, also known as APT41 or Wicked Spider,
last year, 13 of which had their networks successfully breached, BleepingComputer
Numerous websites belonging to Hong Kong, U.K., and Ireland universities, as well as the Indian government and Thai military, have also been compromised by Winnti as part of their campaigns, which include supply chain attacks, phishing operations, watering hole intrusions, and SQL injections, a report from Group-IB revealed.
Winnti was found to have leveraged both specialized and commodity software, including Cobalt Strike to identify network vulnerabilities, with the group obfuscating payloads to facilitate the distribution of Cobalt Strike beacons. Researchers said that payloads have been encoded in base64 and are broken down into 775 characters, with such action performed 154 times prior to being written into a file.
Winnti has also been leveraging listeners with more than 106 Microsoft-, Cloudflare-, and Facebook-spoofing SSL certificates for Cobalt Strike deployment.