Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

Posted by & filed under Security Alerts.

Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor.

Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents that purported to be a curriculum vitae and an IELTS certificate.

The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader (“svchast.exe”) and a backdoor called Crosswalk (“3t54dE3r.tmp”).

Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out system reconnaissance and receiving additional modules from an attacker-controlled server as shellcode.

 

While this modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims in 2020 — the researchers said the use of Crosswalk suggests the involvement of Winnti.

This is also supported by the fact that the network infrastructure of the samples overlaps with previously known APT41 infrastructure, with some of the domains traced back to Winnti attacks on the online video game industry in 2013.

The new wave of attacks is no different. Notably, among the targets include Battlestate Games, a Unity3D game developer from St. Petersburg.

Furthermore, the researchers found additional attack samples in the form of RAR files that contained Cobalt Strike Beacon as the payload, with the hackers in one case referencing the U.S. protests related to the death of George Floyd last year as a lure.

In another instance, Compromised certificates belonging to a Taiwanese company called Zealot Digital were abused to strike organizations in Hong Kong with Crosswalk and Metasploit injectors, as well as ShadowPad, Paranoid PlugX, and a new .NET backdoor called FunnySwitch.

 

The backdoor, which appears to be still under development, is capable of collecting system information and running arbitrary JScript code. It also shares a number of common features with Crosswalk, leading the researchers to believe that they were written by the same developers.

Previously, Paranoid PlugX had been linked to attacks on companies in the video games industry in 2017. Thus, the deployment of the malware via Winnti’s network infrastructure adds credence to the “relationship” between the two groups.

“Winnti continues to pursue game developers and publishers in Russia and elsewhere,” the researchers concluded. “Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS.”

 

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.