“CuckooBees” campaign operated by Chinese cyber espionage group went undetected since 2019
A stealthy cyber espionage campaign, which researchers say is almost certainly operated by the China-linked Winnti APT, has been ongoing and undetected since at least 2019. Its characteristics almost precisely match the FBI publication, also issued in 2019, titled China: the Risk to Corporate America (PDF).
The FBI warned that China would use cyber espionage to steal American intellectual property to help facilitate the Chinese government’s Made in China 2025 Plan. The Winnti campaign, named CuckooBees, seems purpose designed to do just that – and the CuckooBees campaign started at the same time as the FBI issued its warning.
CuckooBees was discovered by Cybereason – after years of undetected operation – when its researchers were engaged to investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe, and Asia. In an analysis of the campaign, Cybereason suggests that over the years, CuckooBees has successfully exfiltrated hundreds of gigabytes of information. It further believes with medium to high confidence that CuckooBees is the work of the Chinese Winnti group (aka APT41, BARIUM, and Blackfly).
Winnti is a Chinese state-affiliated group that has existed since at least 2010 and is known for its sophistication, stealth and focus on stealing technology secrets. Mandiant described (PDF) Winnti in March 2022 as ‘a creative and well-resourced adversary’.
Cybereason’s research into the CuckooBees campaign uncovered an undocumented new malware called Deploylog, and new versions of known Winnti malware. Payload concealment and detection evasion was based on rarely seen abuse of the Windows CLFS feature.
The infection chain and payload deployment (which Cybereason calls the Winnti Kill Chain) was implemented with a ‘house of cards’ approach, with each component depending on the others to function properly. This makes it difficult to analyze each component separately.
Winnti Kill Chain in Operation CuckooBees (Image Credit: Cybereason)
Intrusion commenced through multiple vulnerabilities in the ERP platform. From there, the attackers installed persistence with a form of WebShell, and began reconnaissance and credential dumping. This allowed lateral movement ultimately resulting in sensitive data exfiltration from both critical servers and the endpoints of high-profile employees.
CuckooBees involved multiple persistence techniques. The first was to drop a VBScript version of the WebShell, execute it using wscript, and copy the result to an externally accessible folder. This is a technique that has been known since 2006 and has a strong Chinese connection. The WebShell used in this instance was almost identical to a publicly known WebShell called up_win32.jsp.
The second persistence method provided an additional backup entry point. It involved modifying the WinRM remote management protocol to enable HTTP and HTTPS listeners for remote shell access.
The third method leveraged a signed kernel rootkit, while the fourth technique abused the legitimate IKEEXT and PrintNotify Windows Services to side-load Winnti DLLs and preserve persistence.
The initial reconnaissance used built-in Windows commands to gather information on the compromised server. Once footholds on multiple machines had been established, Winnti began using Scheduled Tasks to execute batch scripts that differed between different machines, with different commands based on the attackers’ goals.
Two methods were used for credential dumping: the reg save command and an unknown tool named MFSDLL.Exe. The known reg save was used to dump the SYSTEM, SAM and SECURITY registry hives, enabling the attackers to crack password hashes locally.
Cybereason has not been able to recover a sample of MFSDLL but has learned how it was used and what it loaded. It loaded a DLL called mktzx64.dll, which has been detected separately by ESET, mentioned in its joint report with Avast on the Microceen RAT, and it may be connected with the use of Mimikatz.
Using compromised domain administrator credentials, Winnti then used scheduled tasks to execute commands on dozens of compromised machines. During this phase, the attackers were able to move laterally and infect a large number of hosts using the stolen credentials.
For data collection, the attackers used a renamed Chinese-language version of WinRAR to create password protected archives containing the stolen data. This was renamed to rundll32.exe to disguise it and silently blend in with other Windows system files.
Cybereason believes that this campaign has ended, but it cannot be certain. Assaf Dahan, senior director and head of threat research at Cybereason did point out that there are several indications that evolutions of the campaign might have been active recently. He also told SecurityWeek, “It is likely there are many more victims worldwide given the level of sophistication in the attack and the fact the campaign launched in 2019 and wasn’t discovered until last year.”