Pierluigi Paganini
February 18, 2025
Researchers from cybersecurity firm LAC uncovered a new cyberespionage campaign, tracked as RevivalStone, carried out by the China-linked APT group Winnti in March 2024. Threat actors targeted Japanese companies in the manufacturing, materials, and energy sectors and used an enhanced version of “Winnti malware.”
The APT group was first spotted by Kaspersky in 2013, but according to the researchers, the gang has been active since 2007.
The experts believe that under the Winnti umbrella, there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad.
LAC states that the Winnti malware employed in the RevivalStone campaign supports new evasion techniques.
The attack chain began by exploiting an SQL injection in an ERP system to deploy a WebShell, then attackers conducted reconnaissance and installed Winnti malware. The threat actors compromised a shared account of the operation and maintenance company to perform lateral movements, breaching the infrastructure provider’s network and impacting multiple organizations.
The threat actor used multiple WebShells in this campaign including “China chopper,” “Behinder,” and “sqlmap file uploader.”
The new Winnti malware persists through the SessionEnv service, initiating a multi-step execution process. It exploits DLL hijacking to load the Winnti Loader, which decrypts and executes the Winnti RAT. The RAT then deploys the Winnti Rootkit, which intercepts TCPIP communications and waits for external C2 commands to execute malicious actions.
The Winnti Loader, also known as PRIVATELOG, loads the Winnti RAT into memory, is supports code obfuscation through jump-based Control Flow Flattening (CFF). The malware also employs XOR and ChaCha20 encryption to obfuscate characteristic strings, further complicating detection and reverse engineering.
“To avoid detection by EDR products, Winnti Loader copies and loads legitimate DLL files required for its operation to the System32 folder. This detection evasion function is also implemented in the “UNAPIMON” malware, which is one of the components of the Winnti malware described below.” reads the report. “In addition, when copying files, Winnti Loader changes the file name to one consisting of an underscore and 5-9 alphabetic characters (e.g., “_syFig.dll” or “_TcsTgyqmk.dll”). Figure 11 shows the code for determining the number of characters in the random string, where a number between 5 and 9 is assigned to the variable v1. The Winnti Loader then dynamically loads the copied libraries and deletes the copied files once the loading is complete.”
LAC discovered references to TreadStone and StoneV5 in the RevivalStone campaign. TreadStone is a Winnti malware controller, also found in last year’s I-Soon leak linked to a Linux malware control panel.
TreadStone is a Winnti malware controller, referenced in leaked i-Soon data as a Linux malware controller. StoneV5 may indicate Winnti version 5.0.
“In recent years, the Winnti Group has been reported to target Asian countries in many cases, and it is highly likely that they are still conducting covert attacks.” concludes the report. “For this reason, we recommend that organizations take stock of their information assets, and implement measures such as patch management for vulnerabilities, checking for configuration errors, and shutting down unnecessary services.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT group Winnti)
