![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Winnti Hackers Attacking Japanese Organizations With New Malware
The China-based Winnti Group has targeted Japanese organizations in a recent cyberattack campaign known as “RevivalStone,” in the manufacturing, materials, and energy sectors. This campaign, confirmed in March 2024, utilizes a new version of the Winnti malware with enhanced capabilities. The Winnti Group, known for its involvement in both cybercrime and espionage, has been linked […] The post Winnti Hackers Attacking Japanese Organizations With New Malware appeared first on Cyber Security News.
The China-based Winnti Group has targeted Japanese organizations in a recent cyberattack campaign known as “RevivalStone,” in the manufacturing, materials, and energy sectors.
This campaign, confirmed in March 2024, utilizes a new version of the Winnti malware with enhanced capabilities.
The Winnti Group, known for its involvement in both cybercrime and espionage, has been linked to APT41, a subgroup with ties to private contractors operating on behalf of the Chinese government.
While the Winnti Group initially focused on the gaming industry around 2010 but has since expanded its targets to organizations handling intellectual property across various fields.
LAC Watch researchers noted that their attacks often align with China’s strategic objectives and have targeted multiple sectors globally.
RevivalStone Campaign
The RevivalStone campaign begins with an SQL injection vulnerability exploit in the target organization’s ERP system, allowing the attackers to deploy a WebShell.
.webp)
This WebShell is used for reconnaissance and credential collection, facilitating lateral movement within the network. The attackers then deploy Winnti malware as a foothold for further attacks.
Here below we have mentioned all the WebShells used:-
- China Chopper: A generic WebShell used by Chinese attacker groups. It receives POST requests with specific parameters, enabling various attack activities on the target host, ultimately leading to the deployment of Winnti malware.
- Behinder (IceScorpion): A multi-platform WebShell supporting PHP, ASP, and JSP. It offers file operations, shell command execution, and proxy functions, loading AES-encrypted payloads.
- Sqlmap File Uploader: A GUI-based file uploader used for initial intrusion, leveraging sqlmap to create payloads.
The execution flow of the new Winnti malware follows a structured process, beginning with the SessionEnv service, which loads a legitimate SessEnv.dll that is later modified to load TSMSISrv.dll.
Through DLL hijacking, TSMSISrv.dll then loads the Winnti Loader (mresgui.dll).
This loader decrypts DAT files to initiate the Winnti RAT, which in turn deploys the Winnti Rootkit using the amonitor.sys installer, ensuring deep system infiltration and persistence.
.webp)
The Winnti Loader is designed to evade detection by copying legitimate DLLs to the System32 folder and loading them dynamically.
It uses obfuscated code and strings, employing techniques like Control Flow Flattening (CFF) to complicate analysis.
dq offset aKernel32D11 0 ; "kernel32.dll"
dq offset aKernelbaseDll ; "KernelBase.dll"
....webp)
DAT files are encrypted with AES and ChaCha20. Decryption involves generating keys from the victim’s IP address, MAC address, and network interface GUID.
.webp)
The decryption process uses the Output Feedback (OFB) mode for AES and involves multiple SHA256 hash calculations.
The Winnti Group’s reliance on advanced malware and WebShells shows the critical need for strong cybersecurity defenses.
With the increasing sophistication of such threats, organizations must stay proactive, employing cutting-edge security measures to detect, mitigate, and prevent these targeted cyber intrusions.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Winnti Hackers Attacking Japanese Organizations With New Malware appeared first on Cyber Security News.
.webp?#)
