Security researchers Positive Technologies revealed a series of attacks carried out by a Chinese APT hacking group, targeting organizations in Russia and Hong Kong. Experts attribute them attacks in the Winnti APT group (also known as APT41), which is associated with China, and reported that the attackers used an old one backdoor which had not been identified, in their attacks.
The Winnti team was first spotted by Kaspersky in 2013 but, according to researchers, has been active since 2007. Experts believe that Winnti is made up of many other APT teams, such as Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly and ShadowPad. The APT team targets organizations in a variety of industries, including aviation, gambling, pharmaceuticals, technology, telecommunications and development software.
The recent attacks, discovered by Positive Technologies, were first identified on May 12, 2020, when experts spotted several samples of the new malware which were originally mistakenly attributed to Higaisa hackers. Investigating the attack, experts discovered a number of new malware samples used by the attackers, including various droppers, loaders and injectors. The attackers also used Crosswalk, ShadowPad and PlugX backdoors, but security researchers also observed a sample of an unspecified backdoor called "FunnySwitch".
In the first attack, hackers used LNK shortcuts to extract and execute malware payload, while in the second attack detected on May 30, they used a malicious file (CV_Colliers.rar) containing the shortcuts to two documents PDF "Bait" with a CV certificate and IELTS.
The Winnti team focuses on the computer game industry, having previously targeted game developers, and recently "hit" Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.
In June, researchers located an active HttpFileServer on one of the active C2 servers. HFS contained an email icon, a screenshot of a game with Russian text, a screenshot of a game development company website, and a screenshot of CVE-2020-0796 vulnerability information from its website Microsoft. The files were used two months later, on August 20, 2020, in attacks that also utilized a standalone loader for the Cobalt Strike Beacon PL shellcode.
The discovery led experts to believe they had found traces of preparation and subsequent successful implementation of an attack on Battlestate Games.
Winnti continues to target game developers and publishers in Russia and other countries. Small studios tend to neglect information security, which makes them vulnerable to attacks. Attacks on software developers are particularly dangerous as they expose end users, as has already happened in the well-known cases of CCleaner and ASUS. By ensuring early detection and investigation of breaches, companies can avoid falling victim to such a scenario.