Security News > 2022 > May > Hackers stole data undetected from US, European orgs since 2019
The Chinese hacking group known as 'Winnti' has been stealthily stealing intellectual property assets like patents, copyrights, trademarks, and other corporate data - all while remaining undetected by researchers and targets since 2019.
Winnti establishes persistence via an encoded WebShell, by abusing the WinRM protocol for remote access, the IKEEXT and PrintNotify Windows services for DLL side-loading, or by loading a signed kernel rootkit.
For lateral movement, the hackers continue to abuse the Windows Scheduled Tasks along with a set of special batch files.
What stands out in Cybereason's report is a new Winnti malware dubbed "DEPLOYLOG" and the method of abuse of the Windows CLFS mechanism for payload concealing.
The DEPLOYLOG malware, which hasn't been documented before, is a 64-bit DLL that extracts and executes Winnti's final payload, the WINNKIT rootkit, and then establishes two communication channels with the remote C2 and the kernel-level rootkit.
For more details on Winnti's TTPs, check out an additional Cybereason blog piece that focuses on the techniques, or a third devoted to the malware used in the campaign.
News URL
Related news
- US says Chinese hackers breached multiple telecom providers (source)
- US indicts Snowflake hackers who extorted $2.5 million from 3 victims (source)
- Hacker gets 10 years in prison for extorting US healthcare provider (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- US shares tips to block hackers behind recent telecom breaches (source)