Winnti APT continues to target game developers in Russia and abroad

A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn.

Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) and reported that the attackers used a previously undocumented backdoor in the attacks.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

The recent attacks documented by Positive Technologies were first spotted on May 12, 2020, at the time the experts detected several samples of the new malware that were initially incorrectly attributed to the Higaisa threat actors. Investigating the attack, the experts discover a number of new malware samples used by the attackers, including various droppers, loaders, and injectors. The attackers also used Crosswalk, ShadowPad, and PlugX backdoors, but security researchers also noticed a sample of a previously undocumented backdoor that they dubbed FunnySwitch.

In the first attack, the threat actors used LNK shortcuts to extract and run the malware payload, while in the second attack detected on May 30, the threat actor used a malicious archive (CV_Colliers.rar) containing the shortcuts to two bait PDF documents with a CV and IELTS certificate.

The LNK files contain links to target pages hosted on Zeplin, a legitimate collaboration services between designers and developers.

The payload consists of two files, the svchast.exe that acts as a simple local shellcode loader, and ‘3t54dE3r.tmp’ that is the shellcode containing the main payload (the Crosswalk malware).

The Crosswalk was first spotted by researchers from FireEye in 2017 Crosswalk and included in an analysis of the activities associated with the APT41 (Winnti) group. The malware is a modular backdoor that implements system reconnaissance capabilities and is able to deliver additional payloads.

Experts also discovered a significant overlap of the network infrastructure with the APT41’s infrastructure.

“The network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of the C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from a Kaspersky report written in 2013.” reads the report published by Positive Technologies. “All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which “borrowed” this shortcut technique from Higaisa.”

The Winnti group focus on computer game industry, in the past they targeted game developers and recently they hit Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.

On June, the researchers detected an active HttpFileServer on one of the active C2 servers. The HFS was containing an email icon, screenshot from a game with Russian text, screenshot of the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the Microsoft website. The files were used two months later, on August 20, 2020, in attacks that also leveraged a self-contained loader for Cobalt Strike Beacon PL shellcode.

The discovery lead the experts into believing that they detected traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.

“Winnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection and investigation of breaches, companies can avoid becoming victims of such a scenario.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Winnti APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.