Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong

The Chinese state-sponsored threat group Winnti has been observed targeting governmental entities in Sri Lanka and Hong Kong in recent campaigns.

The Chinese state-sponsored threat group Winnti has been observed targeting governmental entities in Sri Lanka and Hong Kong in recent campaigns.

Active since at least 2007 and also tracked as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti Group is believed to be formed of multiple subgroups engaging in both cyberespionage and financially motivated operations.

As part of a campaign ongoing since early August, the threat actor has been deploying various payloads against government entities in Sri Lanka, including the KeyPlug malware and a new backdoor called DBoxAgent. This appears to be the first time Winnti has targeted Sri Lanka.

The timing of the campaign – the attack falls in line with a geopolitical event involving China and Sri Lanka – and observed tactics, techniques, and procedures (TTPs) suggest that the Winnti group was behind the operation, Malwarebytes says.

The attack starts with an ISO file masquerading as a document and which contains a shortcut file posing as a folder, an executable, and a DLL file. When the intended victim clicks on the shortcut file, the executable runs and sideloads the malicious DLL.

Next, shellcode representing a new backdoor called DBoxAgent is loaded in memory. The malware uses Dropbox for command and control (C&C), which allows it to bypass detection mechanisms, and provides the attackers with full control over the victim machine.

DBoxAgent allows the attackers to steal information from the system and to download additional payloads. Malwarebytes has seen Winnti deploying SerialVlogger (second stage), VLOG.IPDB (third-stage DLL loader), and KeyPlug (fourth stage).

“This whole attack has Winnti signatures fingerprints all over it. The most significant one probably is the use of KeyPlug malware, which is exclusively used by this group, and most likely developed by them,” Malwarebytes says.

Advertisement. Scroll to continue reading.

Recently, the Winnti group has also turned its attention to government organizations in Hong Kong, in what appears to be a continuation of Operation CuckooBees, a cyberespionage campaign that remained undetected for roughly three years.

As part of this activity, the attackers deployed the Spyder Loader trojan on their victims’ networks, most likely for intelligence collection. The final payload used in this campaign, however, remains elusive, says Symantec, which has been tracking this activity.

However, the security firm has seen the attackers deploying various other tools on the victim networks, including a modified SQLite DLL, Mimikatz, and a trojanized ZLib DLL.

“While we do not see the final payload delivered in this campaign, the use of the Spyder Loader malware and crossover with the activity previously identified […], combined with the victims seen in this recent activity, make it most likely that the motivation behind this activity is intelligence gathering,” Symantec notes.

Related: China’s Winnti Group Hacked at Least 13 Organizations in 2021: Security Firm

Related: U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool

Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...