China-linked Winnti APT steals intellectual property from companies worldwide

Pierluigi Paganini May 04, 2022

A sophisticated cyberespionage campaign, dubbed Operation CuckooBees, conducted by the China-linked Winnti group remained undetected since at least 2019.

Researchers from Cybereason uncovered a sophisticated cyberespionage campaign, dubbed Operation CuckooBees, aimed at stealing intellectual property from the victims.

The campaign flew under the radar since at least 2019, it was attributed by the experts to the China-linked Winnti group and targeted technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

“For years, the campaign had operated undetected, siphoning intellectual property and sensitive data.” reads the report published by Cybereason. “With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information. The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.”

The attribution to the China-linked APT group is based on the analysis of the forensic artifacts.

Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage group that has been active since at least 2007.

The attacks leverage a multi-step infection chain that starts with attacks on internet-facing servers in the attempt to deploy a web shell used for reconnaissance, lateral movement, and data exfiltration purposes.

One of the characteristics of this campaign is the abuse of the Windows CLFS mechanism and NTFS transaction manipulations to conceal their malicious payloads and evade detection by security solutions. The technique was rarely seen in attacks.


The threat actors gain access to the target organizations by exploiting vulnerabilities in the organizational ERP (Enterprise Resource Planning) platform. Then the attackers achieve persistence with the deployment of the WebShell. 

The attackers abuse the legitimate IKEEXT and PrintNotify Windows Services to side-load Winnti DLLs, along with the WinRM protocol for remote access.

Once gained access to the target network, the attackers conducted reconnaissance activity using Windows commands such as:

  • systeminfo
  • net start
  • net user
  • dir c:\ 

“After establishing a foothold on multiple machines in the network, Winnti began leveraging Scheduled Tasks to execute batch scripts by the names “cc.bat” or “bc.bat”. The content of these batch files varied from one machine to another, each time containing different reconnaissance commands based on the attackers’ goals.” continues the report from Cybereason.

Cybereason observed the threat actors using two methods for credential dumping, the first one used the known reg save command, and the second was an unknown tool, named MFSDLL.exe.

The attackers used the Windows-native Schtasks command to create remote scheduled tasks and to execute malicious code in the attempt to perform the lateral movement,

The threat actors used a renamed Chinese-language version of WinRAR to create password-protected archives containing the stolen data. Attackers employed a sophisticated modular backdoor called Spyder to decrypt and load additional payloads.

Below is a list of malware from the Winnti arsenal analyzed in a report published by the experts: 

  • Spyder: A sophisticated modular backdoor
  • STASHLOG: The initial deployment tool “stashing” payloads in Windows CLFS 
  • SPARKLOG: Extracts and deploys PRIVATELOG to gain privilege escalation and achieve persistence
  • PRIVATELOG: Extracts and deploys DEPLOYLOG
  • DEPLOYLOG: Deploys the WINNKIT Rootkit and serves as a userland agent 
  • WINNKIT: The Winnti Kernel-level Rootkit

The attacks were aimed at stealing intellectual property from the victims, including patents, copyrights, and trademarks. These attacks caused immense losses to the targeted organizations, potentially undermining their economy.

“Winnti is an exceptionally capable adversary. One report states, “The group’s distinct use of supply chain compromises to target select individuals, consistent use of compromised digital certificates, and deployment of bootkits (rare among APT operators), highlight a creative and well-resourced adversary.””concludes the report. “The Cybereason research agrees with that assessment. Operation CuckooBees offers a glimpse into the evolving Winnti intrusion playbook..”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Winnti)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment