Cybereason researchers have uncovered a new spyware campaign that has been active for at least three years and includes new strains of malware, rarely seen abuse of certain Windows features, and a “complex infection chain”.
According to the company’s report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe and Asia for at least 2019.
The objective was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas and proprietary data related to manufacturing. Researchers believe the attackers stole hundreds of gigabytes of valuable information.
Rarely seen abuse
This data also helped attackers map their victims’ networks, organizational structure, and endpoints, giving them a head start should they decide to make matters worse (for example, with ransomware).
In its campaign, advanced persistent threat actor Winnti deployed new versions of already known malware (Spyder Loader, PRIVATELOG and WINNKIT), but it also deployed previously unknown malware – DEPLOYLOG.
To deploy the malware, the group opted for a “rarely seen” abuse of Windows CLFS functionality, the researchers said. Apparently, the group exploited the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide payloads and avoid detection by security products.
The payload delivery itself was described as “complex and interdependent”, resembling a house of cards. Therefore, it was very difficult for the researchers to analyze each component separately.
Yet they managed to piece the puzzle together and claim that the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that “hides” payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there is WINNKIT, the kernel-level Winnti rootkit.