Contents:
Winnti, a prolific Chinese threat group, focused his attacks on government organizations from Hong Kong and Siri Lanka, this year.
The group is active since 2007, and his recent attacks are part of an ongoing campaign dubbed Operation CuckooBees.
Operation CuckooBees
Winnti, according to The Hacker News, “carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing intellectual property from organizations in developed economies.”
Victims of the threat actor spread in sectors like healthcare, telecoms, high-tech, media, agriculture, and education.
The initial breach into a victim’s network is made by a spear-phishing email and it is estimated that in this way Winnti has stolen hundreds of gigabytes of information.
Cybereason revealed in May 2022 long-running strikes orchestrated by the group since 2019 to steal technology secrets from technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
Hong Kong Under Attack
In its latest activities, Winnti focused on Hong Kong organizations with attacks that can remain active on the infected network for up to one year.
This seems to be part of the same CuckooBees campaign, with the ultimate goal of exfiltrating proprietary data.
“We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection”, the Symantec Threat Hunter Team explained.
Other post-exploitation tools, such as Mimikatz and a trojanized zlib DLL module that could accept commands from a remote server or load a random payload, were also distributed along with Spyder.
The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time.
The Siri Lanka Attacks
In August 2022 Winnti targeted for the first time government entities in Sri Lanka using DBoxAgent, a new backdoor that uses Dropbox for command-and-control.
“The threat actors used multiple layers of protection and techniques to make analysis harder and hide their final payload”, according to Malwarebytes.
Taking advantage of the economic crisis in the country, threat actors use an ISO image in Google Drive that claims to offer information about economic assistance. The image contains an LNK file that once launched leads to the execution of the DBoxAgent implant. This way hackers can remotely control the machine and extract vulnerable data to a cloud storage service.
Using the backdoor, they can then drop exploitation tools, allowing them to launch additional attacks and data exfiltration, such as activating a multi-stage infection sequence that culminates in the use of an advanced C++ backdoor known as KEYPLUG.
The development marks the first time APT41 has been observed utilizing Dropbox for C&C purposes, illustrating the growing use by attackers of legitimate software-as-a-service and cloud offerings to host malicious content.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.