The China-based Advanced Persistent Threat (APT) group, known as the Winnti Group or APT41, has launched a sophisticated cyberattack campaign targeting Japanese organizations in the manufacturing, materials, and energy sectors.
Dubbed “RevivalStone,” this operation employs a novel version of the infamous Winnti malware, showcasing advanced capabilities and evasion techniques.
The campaign was first identified by LAC’s Cyber Emergency Center and has since been analyzed extensively, with findings presented at major cybersecurity conferences such as Virus Bulletin 2024 and the Threat Analyst Summit.
Technical Details of the Attack
The RevivalStone campaign begins with exploiting SQL injection vulnerabilities in web-facing Enterprise Resource Planning (ERP) systems.
Through these vulnerabilities, attackers deploy web shells like “China Chopper,” “Behinder,” and “sqlmap file uploader” to gain initial access.
These tools enable reconnaissance, credential harvesting, and lateral movement within targeted networks.
Once inside, attackers deploy an updated version of the Winnti malware.
Enhanced Malware Features
The new variant of Winnti malware observed in this campaign includes several advanced features:
- Encryption Advancements: The malware employs AES and ChaCha20 encryption algorithms to secure its payloads and communications.
- Device-Specific Decryption Keys: Unique identifiers such as IP addresses and MAC addresses are used to generate decryption keys, complicating analysis.
- Rootkit Deployment: A kernel-level rootkit intercepts TCP/IP communications, enabling covert data exfiltration.
- Evasion Techniques: Obfuscated code and DLL hijacking are utilized to bypass endpoint detection and response (EDR) systems.
The attackers also leveraged compromised accounts from Managed Service Providers (MSPs) to infiltrate interconnected networks, amplifying the campaign’s impact across multiple organizations.
The Winnti Group has a long history of cyberespionage campaigns aligned with Chinese state interests, often targeting intellectual property and sensitive data across industries such as gaming, pharmaceuticals, aerospace, and now critical infrastructure in Japan.
The group’s use of stolen digital certificates and advanced persistence mechanisms underscores its sophistication.
This campaign highlights the growing threat posed by state-sponsored actors targeting supply chains and critical infrastructure.
Organizations are urged to strengthen their cybersecurity defenses by:
- Patching known vulnerabilities promptly.
- Monitoring for indicators of compromise (IoCs), such as unusual DLL files or registry keys like “IPSECMINIPORT.”
- Implementing robust access controls and multi-factor authentication.
- Deploying Endpoint Detection and Response (EDR) solutions for real-time monitoring.
As cyber threats evolve, adopting a multi-layered security strategy is critical to mitigating risks associated with advanced APT campaigns like RevivalStone.
 group, known as the Winnti Group or APT41, has launched a sophisticated cyberattack.){kind=link}