Winnti, a Chinese state-backed APT active since 2010, targets healthcare, technology, and pharmaceutical industries for intellectual property theft using their namesake backdoor for initial infection and persistence, while ShadowPad and PlugX RATs enable remote control and data exfiltration.
New attack graphs mimicking Winnti’s recent operations allow security teams to evaluate control performance against these TTPs, validate detection against a sophisticated espionage threat, and assess overall security posture.
The Winnti Cuckoobee Stage 1 leverages a VBScript downloaded through a web shell to perform reconnaissance on the compromised system.
It executes various commands to gather network configuration details (route, ipconfig, nltest, net, arp), system information (systeminfo), a list of local accounts (net user), running services (sc, get-service, net start, tasklist /svc), and explore the file system (dir).
Winnti malware, in its second stage, targets credential access, as it first uses regsave to dump critical registry hives, including SYSTEM, SECURITY, and SAM, to a temporary location.
Mimikatz, a well-known credential dumping tool, is then used to extract passwords and hashes stored in memory, which hives, and using Mimikatz reflects the attacker’s intent to bypass potential endpoint controls and maximize credential harvesting.
The attacker initiates a comprehensive reconnaissance stage to gather in-depth information about the compromised system and network by leveraging various tools and techniques to enumerate NetBIOS names, peripheral devices, password policies, domain administrator accounts, running processes, system time, network connections, adapter details, network topology, network shares, and logged-in users.
The Winnti malware arsenal deployment starts with Winnti SpiderLoader execution via RunDLL32, and then Winnti Stashlog is dropped and uses reflective DLL injection to run, where an attacker retrieves the machine’s GUID to identify the victim.
According to AttackIQ, Winnti Privatelog is deployed next and utilizes DLL side-loading for execution. Lateral movement happens through RDP, and exfiltration occurs over HTTP to a test server.
They launched a stealthy cyberattack campaign called Operation Harvest in September 2021 by using a PlugX dropper with a DLL side-loading technique to deploy the Winnti backdoor, while Mimikatz was used to steal credentials and PSexec facilitated lateral movement.
It used DLL injection and a new service for persistence to collect data, including files, directories, network shares, system information, and user information, which was exfiltrated through an encrypted C2 channel and potentially unencrypted channels.
Winnti targeted Sri Lankan government entities in August 2022 using a multi-stage attack. The attack began with a malicious ISO file disguised as economic aid information on Google Drive, and once downloaded, the ISO dropped a shortcut file that triggered the execution of a DLL.
This DLL loaded DBoxAgent, a backdoor using Dropbox for communication, then performed network discovery and information gathering using native Windows APIs and deployed additional tools, SerialVlogger and KeyPlug, for further system information extraction and potential persistence through DLL side-loading and code injection.
Also Read: