Chinese hackers perform 'rarely seen' Windows mechanism abuse in three-year campaign

Operation CuckooBees is an elaborate operation against companies in the US and beyond.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed a sophisticated Winnti cyber campaign that abuses Windows mechanisms in a way 'rarely seen."

According to Cybereason, the Chinese advanced persistent threat (APT) group Winnti is behind the campaign, which has gone undetected for years.

Active since at least 2010, Winnti is a threat group that operates using a vast array of malware and tools at its disposal. The APT, also known as APT41, BARIUM, or Blackfly, is suspected of working on behalf of the Chinese state and focuses on cyberespionage and data theft.

Past attacks connected to the group include cyberattacks against video game developers, software vendors, and universities in Hong Kong. Winnti also capitalized on the Microsoft Exchange Server ProxyLogon flaws, alongside other APTs, when the critical vulnerabilities were first made public.

In two reports published on Wednesday, Cybereason said the company had briefed both the FBI and US Department of Justice (DoJ) on the APT's campaign, which has been active since 2019 but only recently exposed.

According to the cybersecurity researchers, the covert attacks have been focused on infiltrating the networks of technology and manufacturing companies in Europe, Asia, and North America, focusing on stealing sensitive proprietary information.

Dubbed Operation CuckooBees, Winnti's "multi-stage infection chain" begins with exploiting vulnerabilities in enterprise resource planning (ERP) software and the deployment of the Spyder loader. The researchers say that some of the exploited bugs were known, but others were also zero-day vulnerabilities.

Once access to an enterprise system is achieved, a webshell, made up of simple code published on websites in the Chinese language, is dropped to maintain persistence.

In addition, Winnti tampers with the Windows feature WinRM over HTTP/HTTPS and IKEEXT and PrintNotify Windows services to create backup persistence mechanisms and to sideload Winnti DLLs.

The group then performs detailed reconnaissance on the operating system, network, and user files, before attempting to crack passwords locally using credential dumping techniques and tools.

Remote scheduled tasks are used to try and move laterally across networks.

Of particular note is Winnti's use of Stashlog, malicious software designed to abuse the Microsoft Windows Common Log File System (CLFS).

Stashlog manipulates the Transactional NTFS (TxF) and Transactional Registry (TxR) operations of CLFS. The executable stashes a payload into the CLFS log file as part of the infection chain.

"The attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products," Cybereason says, adding that such abuse of CLFS is "rarely seen."

Following Stashlog activities, the APT will then use various tools, including Sparklog, Privatelog, and Deploylog. These malware variants extract data from the CLFS log, escalate privileges, enable further persistence, and will deploy the Winnkit rootkit driver - which acts as a kernel-mode agent to intercept TCP/IP requests.

As the investigation into Winnti's campaign is ongoing, the cybersecurity firm has only been able to share partial Indicators of Compromise (IoCs).

"Perhaps one of the most interesting things to notice is the elaborate and multi-phased infection chain Winnti employed," the researchers say. "The malware authors chose to break the infection chain into multiple interdependent phases, where each phase relies on the previous one in order to execute correctly.

This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards