Winnti is a notorious adversary that has been operational since at least 2010 and is believed to be operating in coordination with or supported by the Chinese government. The group has conducted cyber espionage and financially motivated activities across various industries, including technology, healthcare, and pharmaceuticals.
During the COVID-19 pandemic, Winnti intensified its focus on healthcare and pharmaceutical companies, attempting to steal sensitive medical research and vaccine data. Winnti has also been attributed to several high-profile supply chain attacks, compromising trusted software updates to distribute malware across a wide user base.
Their diverse range of targets and objectives demonstrates a commitment to illicitly obtain valuable intellectual property, trade secrets, and financial data.
Winnti is known to use the group’s namesake backdoor, primarily employed for initial infection and maintaining persistent access. Several groups have utilized this backdoor, leading the security industry to track Winnti’s activities in different clusters. In addition, Winnti also employs the ShadowPad modular backdoor for remote control and data exfiltration, as well as the PlugX Remote Access Trojan (RAT).
AttackIQ has released a content bundle consisting of three new attack graphs emulating Winnti’s latest activities to help customers validate their security controls and their ability to defend against this threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against a notorious and stealthy long-standing adversary.
- Assess their security posture against the Tactics, Techniques and Procedures (TTPs) employed by Winnti during three long-term and high-impact operations.
- Continuously validate detection and prevention channels against a highly sophisticated and espionage-motivated threat.
Winnti – 2022-05 – Operation CuckooBees
The first attack graph is based on a report published by Cybereason Nocturnus Incident Response Team published in 2021 and divided into two parts: Part 1 and Part 2. This report is the result of the investigation of multiple intrusions that targeted technology and manufacturing companies located in Asia, Europe, and North America.
Execution & Discovery – Malware Execution and Local Discovery
This stage commences immediately after the deployment of a Webshell, with the execution of an encoded VBScript via CScript. Following the deployment, a discovery routine is initiated to gather critical information including network configuration, system details, files and directories, local account data, and a list of running services.
Command and Scripting Interpreter: Visual Basic (T1059.005): This scenario attempts to execute a Visual Basic Script (VBS) via cscscript.exe
.
System Network Configuration Discovery (T1016): This scenario executes route
, ipconfig
, nltest
, net
or arp
commands to obtain the different information available about the network configuration.
System Information Discovery (T1082): This scenario executes the systeminfo
command to collect information about the compromised system.
Account Discovery: Local Account (T1087.001): This scenario executes the native net user
Windows command to get a list of local accounts.
System Service Discovery (T1007): This scenario executes sc
, Get-Service
, net start
or tasklist /svc
commands to query all running Windows services.
File and Directory Discovery (T1083): This scenario executes the dir
command to discover files and directories.
Credential Access – Local Credential Dumping
This stage focuses on credential access, beginning with the dumping of three registry hives into a temporary folder. The hives extracted are HKLM\SYSTEM, HKLM\SAM, and HKLM\SECURITY. Following this, Mimikatz is employed to dump credentials from the system.
OS Credential Dumping: Security Account Manager ( T1003.002 ): This scenario attempts to save a copy of the SAM
, SYSTEM
, and SECURITY
registry hives to a temporary file by executing the native Windows reg save command.
Ingress Tool Transfer ( T1105 ): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.
OS Credential Dumping ( T1003 ): This scenario utilizes an obfuscated version of Mimikatz
to dump passwords and hashes for Windows accounts.
Discovery – Local and Network Reconnaissance
This stage focuses entirely on exhaustive discovery. The attacker gathers a wide array of information, including NetBIOS domain names, peripheral device details, password policies, a list of domain administrator accounts, running processes, system time and time zone, active network connections, network adapter details, network topology, network shares, and currently logged-in users.
System Network Connections Discovery ( T1049 ): This scenario executes the net session
command to list the active network sessions of the system.
System Network Configuration Discovery ( T1016 ): This scenario executes the ipconfig /all
command to retrieve information about all network adapters.
Application Layer Protocol: DNS ( T1071.004 ): This scenario executes the nslookup
Windows command to resolve a domain via DNS.
System Network Configuration Discovery ( T1016 ): This scenario executes the nbtstat -n
command to obtain the computer’s local NetBIOS domain names.
System Network Configuration Discovery: Internet Connection Discovery ( T1016.001 ): This scenario executes the tracert
command to gather information about the topology of the network.
Peripheral Device Discovery ( T1120 ): This scenario executes fsutil fsinfo drives
to gather information about attached peripheral devices and components connected to the system.
Password Policy Discovery ( T1201 ): This scenario executes a batch script with the net accounts
Windows command to obtain information regarding password policies.
Account Discovery: Domain Account ( T1087.002 ): This scenario executes net group
to list domain administrator accounts.
Network Share Discovery ( T1135 ): This scenario executes the net share
command to list network shares in the system.
Process Discovery ( T1057 ): This scenario enumerates processes running on the target asset through the tasklist
Windows utility.
System Owner/User Discovery ( T1033 ): This scenario executes a batch script with the query user
and whoami
commands to retrieve information about users logged on the system.
System Time Discovery ( T1124 ): This scenario executes the net time
command to identify the time and time zone of the compromised system.
Command and Control & Execution – Malware Arsenal Deployment
During this stage, the Winnti malware arsenal is deployed, beginning with Winnti SpiderLoader, which is executed via the RunDLL32 Windows utility. Following this, the Winnti Stashlog sample is dropped and executed through reflective DLL injection.
System Binary Proxy Execution: Rundll32 ( T1218.011 ): This scenario executes an exported function from a specific DLL using the rundll32.exe
Windows utility.
Reflective Code Loading (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
Command and Control & Discovery – Additional Tooling Rollout
In this stage, the attacker retrieves the machine’s Globally Unique Identifier (GUID) to build a unique identifier for the victim. After that, Winnti Privatelog is deployed into the system and executed via DLL Side-Loading. Subsequently, performs lateral movement through Remote Desktop Protocol (RDP). Lastly, exfiltration takes place via HTTP to an AttackIQ-controlled test server.
System Information Discovery ( T1082 ): This scenario calls the GetVolumeNameForVolumeMountPointA
Windows API function for each drive letter to retrieve the volume GUID path.
Query Registry ( T1012 ): This scenario executes the reg query
command to obtain information from the registry.
Hijack Execution Flow: DLL Side-Loading ( T1574.002 ): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol ( T1048.003 ): This scenario exfiltrates a pre-generated text file containing common password patterns. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server.
Remote Services: Remote Desktop Protocol ( T1021.001 ): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.
Winnti – 2021-09 – Operation Harvest
The second attack graph is based on a report published by Trellix in September 2021, which detailed a long-term and stealthy campaign dubbed “Operation Harvest”.
The operation involved the deployment of the well-known Winnti backdoor for remote access. Additionally, it was supported by several utilities and tools such as PSexec for lateral movement, Procdump for process dumping, Mimikatz for credential dumping, and the open-source tools BadPotato and RottenPotato for privilege escalation. Furthermore, the operation utilizes the PlugX commodity malware, primarily used by China-based adversaries to maintain persistence, execute commands, and exfiltrate data.
The combined use of these tools enabled Winnti to effectively infiltrate the network, gather sensitive information, and maintain a stealthy presence over extended periods of time.
Initial Access & Execution – PlugX Delivery
This stage begins immediately after a compressed RAR file containing PlugX malware is delivered to the system. The RAR file includes three components: a legitimate executable, a Dynamic-Link Library (DLL), and a binary file. When the executable is run, the DLL is loaded via DLL side-loading, which then loads the PlugX configuration from the binary file. Subsequently, code injection is performed against various processes. Finally, PlugX attempts to achieve persistence by creating Scheduled Tasks.
Process Injection: Dynamic-link Library Injection ( T1055.001 ): This scenario performs the injection of a Dynamic-link Library (DLL) into a process utilizing CreateRemoteThread
and LoadLibrary
.
Scheduled Task/Job: Scheduled Task ( T1053.005 ): This scenario attempts to create a new scheduled task for persistence using the schtasks
utility.
Credential Access – Local Credential Dumping
This stage focuses on obtaining credentials by deploying the Mimikatz hacktool. Immediately after its deployment, credentials are dumped from memory.
Execution & Lateral Movement – Winnti Backdoor Deployment
This stage begins with the saving of a Dynamic-Link Library (DLL) file, which will be executed using Windows RunDLL32. This is followed by the creation of a new service to achieve persistence within the system. Finally, the Winnti backdoor deployment takes place, where the executable is saved to disk and performs code injection to facilitate its execution and further operations.
Create or Modify System Process: Windows Service ( T1543.003 ): This scenario leverages the native sc
command line tool to create a new service and performs a query in order to verify if the service was correctly created.
Discovery & Collection – Data Stagging and Data Exfiltration
This stage focuses on the discovery and collection techniques. The discovery routine involves identifying files and directories, network shares, system information, and user information. Subsequently, the collected data is staged for further exfiltration through the encrypted command and control (C2) channel.
Data Staged: Local Data Staging ( T1074.001 ): This scenario performs the automated collection of files and stores them in a specific directory prior to their exfiltration.
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol ( T1048.003 ): This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server.
Winnti – 2022-08 – Campaign Targeting Government Entities in Sri Lanka
The last attack graph is based on a report released in August 2022 by the Malwarebytes Threat Intelligence Team where they uncovered a campaign targeting government entities in Sri Lanka. During this activity, Winnti utilized an ISO file, hosted on Google Drive, disguised as a document purporting to contain information regarding economic assistance.
Initial Access & Execution – Malware Delivery
This stage begins with the download and save of the DBoxAgent’s ISO file that will drop three additional files into the system: a Windows Shortcut LNK file, an executable file, and a Dynamic-Link Library (DLL), which will be subsequently executed via DLL-Side Loading.
Discovery & Exfiltration – Local System Discovery
In this stage, the network discovery process commences to acquire adapter details alongside system information from the compromised system. The gathered information is staged and prepared for exfiltration through the HTTPS protocol.
System Network Configuration Discovery ( T1016 ): This scenario executes GetAdaptersInfo
Windows Native API call to retrieve adapter information from the local computer.
Execution – SerialVlogger and KeyPlug Deployment
This stage starts with the deployment of SerialVlogger into the system by utilizing three key files: an IPDB file, a Dynamic-Link Library (DLL), and an executable file, which are executed through DLL side-loading. Subsequently, a discovery routine takes place to acquire information about the volume name, serial number, and file system type. Finally, Keyplug malware is deployed and executed through code injection.
System Information Discovery ( T1082 ): This scenario executes the GetVolumeInformationA
Windows Native API call for each drive letter to retrieve the volume name, serial number, and file system type.
Detection and Mitigation Opportunities
With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Scheduled Task/Job: Scheduled Task (T1053.005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.
1a. Detection
With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.
Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)
1b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Scheduled Task
- M1047 – Audit
- M1028 – Operating System Configuration
- M1026 – Privileged Account Management
- M1018 – User Account Management
2. Hijack Execution Flow: DLL Side-Loading (T1574.002):
Malware will commonly use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.
2a. Detection
Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.
2b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
3. Windows Service (T1543.003):
Actors can create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.
3a. Detection
The following rules can help identify when that persistence mechanism is being set.
Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS (‘sc’ AND ‘create’ AND ‘start= “auto”’)
3b. Mitigation
MITRE ATT&CK has the following mitigation recommendations:
4. System Binary Proxy Execution: Rundll32 (T1218.011) and Regsvr32 (T1218.010):
Adversaries may use DLL files for many of their malware payloads and use native Windows utilities to execute them. The primary native methods for executing these files is to call the RunDll32
or RegSvr32
utilities and pass along the path and export function to be executed.
4a. Detection
While these two native tools are commonly used by legitimate applications there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension, or call strange looking export names can stand out from regular user behavior.
Process Name == (rundll32.exe OR regsvr32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)
4b. Mitigation
Wrap Up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against an espionage-motivated adversary that operates on behalf of the interests of the Chinese government. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.