Security News > 2022 > May > Hackers stole data undetected from US, European orgs since 2019
The Chinese hacking group known as 'Winnti' has been stealthily stealing intellectual property assets like patents, copyrights, trademarks, and other corporate data - all while remaining undetected by researchers and targets since 2019.
Winnti establishes persistence via an encoded WebShell, by abusing the WinRM protocol for remote access, the IKEEXT and PrintNotify Windows services for DLL side-loading, or by loading a signed kernel rootkit.
For lateral movement, the hackers continue to abuse the Windows Scheduled Tasks along with a set of special batch files.
What stands out in Cybereason's report is a new Winnti malware dubbed "DEPLOYLOG" and the method of abuse of the Windows CLFS mechanism for payload concealing.
The DEPLOYLOG malware, which hasn't been documented before, is a 64-bit DLL that extracts and executes Winnti's final payload, the WINNKIT rootkit, and then establishes two communication channels with the remote C2 and the kernel-level rootkit.
For more details on Winnti's TTPs, check out an additional Cybereason blog piece that focuses on the techniques, or a third devoted to the malware used in the campaign.