Cybereason researchers have discovered a new spyware campaign that has been active for at least three years and includes new strains of malware, rarely seen abuses of certain Windows features, and a "complex infection chain."
According to the company's report, a Chinese state-sponsored actor known as Winnti (also known as APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia for at least 2019. .
The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. Investigators believe the attackers stole hundreds of gigabytes of valuable information.
rarely seen abuse
This data also helped attackers map their victims' networks, organizational structure, and endpoints, giving them an advantage should they decide to make things worse (for example, with ransomware).
In its campaign, advanced persistent threat actor Winnti deployed new versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but also deployed previously unknown malware: DEPLOYLOG.
To deploy the malware, the group opted for a "rarely seen" abuse of Windows' CLFS functionality, the researchers said. The group apparently exploited Windows' CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide payloads and avoid detection by security products.
The payload delivery itself was described as “complex and interdependent,” resembling a house of cards. Therefore, it was very difficult for the researchers to analyze each component separately.
However, they managed to put the puzzle together and claim that Winnti's malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that "hides" payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there is WINNKIT, the kernel-level Winnti rootkit.