Winnti Hackers Split Cobalt Strike Into 154 Pieces To Evade Detection
The Chinese Winti hacking group also referred to as "APT41" or "Wicked Spider" engaged in at least 80 hacking attempts in 2018 and compromised at least thirteen organizations. According to the researchers of Group-IB, which is involved in the study of conferences, Winnti's activities in 2021 have been the most "intense" to date.
The researchers found that Wintti focused mainly on New Testament hotels and resorts in the USA, aviation firms in India, federal governments, manufacturers, and media companies in Taiwan, and technological intermediaries in China.
Here is an image showing how many organizations were breached by Winnti in 2021:
To facilitate their campaigns, Winnti also compromised university websites in the UK, Ireland, and Hong Kong, Thai military portals, and various sites belonging to India's government.
Here is an image showing the compromised infrastructure used in 2021 Winnti operations:
As a result of these campaigns, Winnti utilized different tactics in their malicious activities, including phishing, watering holes, supply chain attacks, and numerous SQL injections.
Threat actors used a mix of hardware and software to find security breaches in targeted networks or migrate laterally within them, utilizing programs such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, Sublist3r, and the "venerable" Cobalt Strike.
Hiding their Cobalt Strike beacons
An exploit in Wintti's Cobalt Strike deployment for the beacons concealed the data from the host by manipulating the payload. According to one research, the hackers encoded the payload in base64 and broke up it into numerous little pieces containing 775 characters, which were then directed to a text file named dns.txt as illustrated here.
In some cases, it took 154 iterations to write the payload onto a text file, but in others, Winnti reduced the file size to 1,024 characters to hasten the iterations. To enable the Cobalt Strike relaunch operation, the threat actors relied on Certutil LOLBin as follows:
certutil -decode C:\dns.txt C:\dns.ex certutil -hashfile C:\dns.exe copy C:\dns.exe C:\WINDOWS\dns.exe move C:\dns.exe C:\windows\mciwave.exe
Another unique approach concerning Cobalt Strike deployment by Winnti is using listeners with over 106 custom SSL certificates, mimicking Microsoft, Facebook, and Cloudflare. These certificates ensure that the listeners on the C2 servers will only accept connections from the planted beacons, locking prying researchers or curious hackers outside.
Lurking in the shadows
Scientists' persistent monitoring of Winnti operations cannot fully hinder the Chinese hackers' anonymity. Their operations continue undisturbed.
In January 2022, researchers at Kaspersky discovered 'MoonBounce', an advanced UEFI firmware implant deployed in the wild by Winnti against high-profile organizations.
In March 2022, Mandiant reported that Winnti breached government networks in six U.S. states using Cisco and Citrix exploits.
In May 2022, a report by Cybereason uncovered a lot about Winnti's arsenal and TTPs (techniques, tactics, and procedures) after mapping a previously unknown operation that has been underway since at least 2019.
The FBI and the Department of Justice were briefed on the Cybereason s findings. In recent years, Western nations, especially the United States and the United Kingdom, have accused China of conducting large-scale cyber operations aimed at stealing massive amounts of information, including commercial secrets, scientific research, and personal data.
If you found this article interesting and want to know more about cyber security, visit Terraeagle today.