A sophisticated cyber campaign, dubbed RevivalStone, has been attributed to the China-affiliated threat actor known as Winnti. This campaign specifically targets Japanese companies in the manufacturing, materials, and energy sectors. Winnti, active since at least 2012, has recently shifted its focus towards Asian manufacturing and materials organizations.

Winnti's Cyber Espionage Tactics

Research indicates that Winnti's activities overlap with Earth Freybug, a subgroup of the notorious APT41 cyber espionage group. The threat actor is exploiting vulnerabilities in applications such as IBM Lotus Domino to deploy a range of malicious software. These include DEATHLOTUS, UNAPIMON, PRIVATELOG, CUNNINGPIGEON, WINDJAMMER, and SHADOWGAZE.

Exploitation Techniques

Winnti has been observed using an SQL injection vulnerability in an enterprise resource planning system to install Web shells on compromised servers. After gaining access, the group collects credentials, conducts reconnaissance, and deploys the Winnti malware. This malware version is enhanced to potentially breach managed service providers.

  • Obfuscation: The malware employs techniques to hide its presence.
  • Encryption: Updated algorithms are used to secure communications.
  • Evasion: Designed to bypass security products effectively.
The link has been copied!