Winnti' a cyberespionage group from the Chinese origins primarily identified for targeting software companies and political organisations worldwide, gained traction over a series of cyberattacks.

They were aided by the espionage operations conducted by other threat actors affiliated to Chinese intelligence. And consolidated with Axiom, APT 17, & Mirage threat actors. First detected on May 12, 2020, by the infosec researchers of Positive Technologies during a threat monitoring session including traces of newly intercepted malware, and LNK shortcuts to extract & run the payload. At the core of the attack is an archive named Project link and New copyright policy.rar (75cd8d24030a3160b1f49f1b46257f9d6639433214a10564d432b74cc8c4d020). The archive contains a bait PDF document (Zeplin Copyright Policy.pdf) plus the folder All tort's projects - Web links with two shortcuts:

• Conversations - iOS - Swipe Icons - Zeplin.lnk
• Tokbox icon - Odds and Ends - iOS - Zeplin.lnk

The structure of malicious shortcuts resembles the sample 20200308-sitrep-48-covid-19.pdf.lnk spread by the Higaisa group in March 2020.

The initial infectious mechanism is fundamentally the same: trying to unlock either of the shortcuts leads to executing a command extracting a Base64-encoded CAB archive from the LNK file body, after which the library is unpacked to a temporary folder. Additional activities were conducted in authorisation by an extracted JS script.

Contents of script 34fDFkfSD32.js

However the similarity with the sample described in the Higaisa report ends: instead, this script copies the payload to the folder C:\Users\Public\Downloads, achieves persistence by adding itself to the startup folder a scheduler task, and runs the payload. The script also sends the output of ipconfig in a POST request to http://zeplin.atwebpages[.]com/inter.php.

The command run by the shortcut also includes the opening of a URL file extracted from the archive. The name of the URL file and target address depends on the shortcut is opened:

Conversations - iOS - Swipe Icons - Zeplin.url goes to:

https://app.zeplin.io/project/5b5741802f3131c3a63057a4/screen/5b589f697e44cee37e0e61df

Tokbox icon - Odds and Ends - iOS - Zeplin. URL goes to:

https://app.zeplin.io/project/5c161c03fde4d550a251e20a/screen/5cef98986801a41be35122bb.

This is the only difference between the two LNK files. In both cases, the target page is hosted on Zeplin, a legitimate service for collaboration between designers and developers, and requires logging in to view.

The payload consists of two files:

svchast.exe

It is functional with a simple local shellcode loader. The shellcode read from a fixed path. Before beginning, the loader checks the current year: 2018, 2019, 2020, or 2021.

The main function in svchast.exe

Figure 3. Main function in svchast.exe

3t54dE3r.tmp

The shellcode containing the central payload is the Crosswalk backdoor.

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk

International English Language Testing System certificate.pdf.lnk

With the matching similarities in the samples, the bait consisted of PDF documents with a CV and IELTS certificate. Depending on which shortcut was opened, the output of ipconfig was sent to one of two addresses: http://goodhk.azurewebsites[.]net/inter.php or http://sixindent.epizy[.]com/inter.php.

The detailed analysis of these espionage campaigns was done by Malwarebytes & Zescaller.

And the discovery of the outputs led to the classification of the groups to the Higasia Group. However, a comprehensive analysis of the shellcode indicates the samples actually belongs to the Crosswalk malware family.

It wasn't late back in 2017, FireEye reported about it for the first time based on the activities of the APT41 (Winnti) group.

From the FireEye report

Figure 7. From the FireEye report

Fragment of shellcode from 3t54dE3r.tmp

Figure 8. Fragment of shellcode from 3t54dE3r.tmp

The network infrastructure of the samples overlaps with previously known APT41 infrastructure at the IP address of the C2 server. An SSL certificate was identified with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, cited in a CrowdStrike report of 2018.

Besides, the domains findings from a Kaspersky report written in 2013.

Fragment of network infrastructure

Figure 9. Fragment of network infrastructure

All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which "borrowed" this shortcut technique from Higaisa.

Investigation of monitoring new Crosswalk samples and network infrastructure put onto the scent of other malicious objects, including Crosswalk shellcode as their payload. And these objects were classified into two groups: local shellcode loaders and injectors. Some of the samples in both groups are also obfuscated with VMProtect.

Code for injecting shellcode into a running process

The injectors contain typical code that obtains SeDebugPrivilege uncovers the target process PID and injects shellcode into it. Depending on the sample, explorer.exe and winlogon.exe are the target processes. Crosswalk

Metasploit stager

FunnySwitch (discussed later in this report)

Crosswalk and FunnySwitch shellcode is located in the data sections "as-is," while the samples with Metasploit show additional XOR encryption with the key "jj1".

The malware primarily functions to extract shellcode and run it in an active process. And samples belong to one of two categories, based on the source of shellcode that they use: in the original executable or an external file in the same directory.

Most of the loaders start by checking the current year, much like the samples from the LNK file attacks.

Code of the loader's main function

Figure 15. Code of the loader's main function

After the malware finds the API functions it needs, it decrypts the string Global\0EluZTRM3Kye4Hv65IGfoaX9sSP7VA with the ChaCha20 algorithm. In one older version, to prevent being run twice the loader creates a mutex with the name Global\5hJ4YfUoyHlwVMnS1qZkd2tEmz7GPbB. But in recent samples, the decrypted string is not used in any way. Perhaps part of the code was accidentally deleted during the development process.

Another artefact found in some samples is the new string CSPELOADKISSYOU. Its purpose remains unclear.

String

Figure 16. String "CSPELOADKISSYOU" in the data section

In the self-contained loaders, the shellcode is located in a PE file overlay. The shellcode is stored curiously: data starts from 0x60 bytes of the header, followed by the (encrypted) shellcode. The data length is stored at offset –0x24 from the end of the executable. The title always starts with the PL signature. The other header data is used for decryption: a 32-byte key is located at offset 0x28, and a 12-byte nonce for the ChaCha20 algorithm is at offset 0x50.

Handling of PL shellcode in the loader body (ChaCha20)

Figure 17. Handling of PL shellcode in the loader body (ChaCha20)

The ChaCha20 implementation is not always present: some of the samples use Microsoft CryptoAPI with AES-128-CBC for encryption. We can also find critical information in the PL shellcode structure: at offset 0x28, 32 bytes are hashed with MD5 to obtain a cryptographic key.

Handling of PL shellcode in the loader body (AES-128)

Figure 18. Handling of PL shellcode in the loader body (AES-128)

Older loader versions use Cryptography API: Next Generation (BCrypt* functions) in an identical way. They use AES-128 in CFB mode as the encryption algorithm.

The loaders that rely on external files have a similar code structure and two encryption types: ChaCha20 or AES-128-CBC. And the file should contain PL shellcode of the same format as in the self-contained loader. Besides the name depends on the specific sample and is encrypted with the algorithm used in it. It can contain a full file path or a comparative option.

Building the file name with PL shellcode

Figure 19. Building the file name with PL shellcode

Among all the loaders, we encountered three different shellcode payloads:

Crosswalk

Metasploit stager

Cobalt Strike Beacon

2.3 Attack examples

2.3.1 An encrypted resume

This malicious file is a RAR archive, electronic_resume.pdf.rar (025e053e329f7e5e930cc5aa8492a76e6bc61d5769aa614ec66088943bf77596), with two files:

Contents of electronic_resume.pdf.rar

Figure 20. Contents of electronic_resume.pdf.rar

The first file might look like bait, but trying to open it in a PDF viewer gives an error since it is practically a copy of the latter.

The file Электронный читатель резюме.exe ("Electronic reader resume.exe") is an executable self-contained loader for PL shellcode. It contains Cobalt Strike Beacon as the payload.

Configuration of Cobalt Strike Beacon

Figure 21. Configuration of Cobalt Strike Beacon

The archive was distributed on approximately June 1, 2020, from the IP address 66.42.48[.]186 and was available at hxxp://66.42.48[.]186:65500/electronic_resume.pdf.rar. The same IP address was used as a C2 server.

The modification time of the archive files and the date on which the archive was found the server, point to the attack being active in late May or early June. The Russian filenames suggest that the targets were Russian-speaking users.

The attack is practically identical to the previous one: malware is distributed in a RAR archive video.rar (fc5c9c93781fbbac25d185ec8f920170503ec1eddfc623d2285a05d05d5552dc) and consists of two .exe files. The archive is available on June 1 on the same server at the address hxxp://66.42.48[.]186:65500/video.rar.

Contents of video.rar

Figure 22. Contents of video.rar

The executable files are self-contained loaders of Cobalt Strike Beacon PL shellcode with a similar configuration and the same C2 server.

Although the bait is insignificant as the threat actors were attempting to exploit U.S. protests related to George Floyd's death, the main trick was a video with the name "I can't breathe-America's Black Death protests that the riots continue to escalate and ignite America!.mp4" involving reporting on protests in late May 2020. Judging by the logo, the video source was Australian portal XKb, which releases news materials in Chinese.

Still frame from the bait video

Figure 23. Still frame from the bait video

2.3.3 Chat transcript

The archive запись чата.7z ("chat transcript.7z") (e0b675302efc8c94e94b400a67bc627889bfdebb4f4dffdd68fdbc61d4cd03ae) contains three identical executable files with names resembling "запись чата-1.png____________________________________.exe" ("chat transcript-1.png____________________________________.exe") in attacks again targeting Russian-speaking users.

Contents of the archive, the name of which promises a 'chat transcript.'

Figure 24. Contents of the archive, the name of which promises a "chat transcript."

The malicious files are self-contained PL shellcode loaders, but the payload here is Crosswalk version 2.0.

Its configuration implies three ways to connect to the C2 server at 149.28.23[.]32:

• Transport protocol 3, port 8443
• Transport protocol 2, port 80
• Transport protocol 1, port 8080

Winnti group came to be famous for the attacks on computer game developers. Such attacks continue today, and Russian companies are also among their targets. While running the file without security updates installed causes two windows to appear simultaneously: CHM help in HTML Help and a PDF document. They contain the same information: a curriculum vitae for the game developer or database manager at a St. Petersburg company. A CV contains plausible contact information, with a St. Petersburg address, email address ending with "@yandex.ru", and phone number starting with "+7" (Russia's country code). The only fake aspect is the phone number: 123-45-67. Findings of opening the CHM file Figure 26. Result of opening the CHM file

The PDF file opens due to the script pass.js, which is contained in the CHM file and referenced in the HTML page code.

Reference to pass.js in HTML code

Figure 27. Reference to pass.js in HTML code

The script uses a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to the folder C:\Users\Public for launching the next stage of the infection: the file resume.exe, which is also embedded inside the CHM file.

Deobfuscated script pass.js

Figure 28. Deobfuscated script pass.js

resume.exe is an advanced shellcode injector before it gets down to business, this malware, like many other samples we have seen from Winnti, checks the current year. Current procedures are reviewed, and malware will not run if any of the following are active: ollydbg.exe|ProcessHacker.exe|Fiddler.exe|windbg.exe|tcpview.exe|idaq.exe|idaq64.exe|tcpdump.exe|Wireshark.exe. On the first launch, the shellcode will be taken from MyResume.pdf; on subsequent launches, winness.config is the shellcode source.

Main function in resume.exe

Figure 29. Main function in resume.exe

MyResume.pdf is unpacked from the CHM file. Data read by resume.exe has been added to the end of the PDF file. If the user opens it directly, a message warns that the document is password-protected.

MyResume.pdf, as viewed in Adobe Acrobat Reader

Figure 30. MyResume.pdf, as viewed in Adobe Acrobat Reader

Compared to the PL shellcode, the data structure is more complex and contains the following:

ROR-13 hash of data starting from byte 0x24 (0x20, 4 bytes)

Nonce for algorithm ChaCha20 (0x24, 12 bytes)

ChaCha20-encrypted text (0x30):

Name of PDF file (+0x0)

Size of PDF file (+0x20)

Size of auxiliary shellcode (+0x24)

Size of main shellcode (+0x28)

Constant 0xE839E900 (+0x2C)

PDF file

Auxiliary shellcode

Main shellcode

On the first launch of resume.exe, the encrypted portion of the data is decrypted. Three sections i.e. the PDF, auxiliary shellcode, and main shellcode

are extracted.

The PDF file is saved with a name resembling _797918755_true.pdf in a temporary folder. It is then open up for the user (the second window in the screenshot in Figure 26, next to HTML Help).

resume.exe: actions on the first launch

Figure 31. resume.exe: actions on the first launch

The payload runs in a new process %windir%\System32\spoolsv.exe, into which the main shellcode is injected: Cobalt Strike Beacon with C2 address 149.28.84[.]98.

Injection occurs by creating a section via a ZwCreateSection call, getting access to it from the parent and child processes via ZwMapViewOfSection calls, copying shellcode to the unit, and placing a jump to the shellcode at the entry point for spoolsv.exe.

For persistence, resume.exe under the name winness.exe is copied to the folder %appdata%\Microsoft\AddIns, and the main shellcode is re-encrypted and saved in the same file location, with the name winness.config, ensuring autostart, auxiliary shellcode writes the file svchost.bat, which transfers control to winness.exe, to the startup folder. For avoiding detection at this stage, the auxiliary shellcode is injected similarly into spoolsv.exe, independently loads the necessary functions, and writes to file in a separate thread.

When winness.exe runs after a reboot, the primary shellcode is decrypted from winness.config and injected into spoolsv.exe the same way.

On June 23, 2020, while Winnti network infrastructure was investigated led to the detection of an active HTTP FileServer on one of the active C2 servers.

Four images were there for all to see: an email icon, screenshot from a game with Russian text, the screenshot of the site of a game development company, and a screenshot of vulnerability details CVE-2020-0796 from the Microsoft website.

13524222881554126454-128.png

Figure 33. 13524222881554126454-128.png

EaVpPBNXgAE8s3r.jpg

Figure 34. EaVpPBNXgAE8s3r.jpg

website_battlestategames.png

Figure 35. website_battlestategames.png

windows_update.png

Figure 36. windows_update.png

Almost two months later, on August 20, 2020, the file CV.pdf____________________________________________________________.exe (e886caba3fea000a7de8948c4de0f9b5857f0baef6cf905a2c53641dbbc0277c) was uploaded to VirusTotal. This file is a self-contained loader for Cobalt Strike Beacon PL shellcode.

Its C2 server is interesting: update.facebookdocs[.]com.

From the analysis, it was discovered that the main domain facebookdocs[.]com hosted a copy of the official site of Battlestate Games: www.battlestategames.com. via an associated C2 IP address (108.61.214[.]194), found an equivalent page on the phishing domain www.battllestategames[.]com (note the double "l").

When used as C2 servers, such domains equip threat actors with the ability to mask malicious traffic as a legitimate activity within the company.

I was combining these two findings manipulated the detection by reflecting the expected results as traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.

Kaspersky report descriptively mentioned the typical usage of typosquatting domains for C2 servers of Winnti.

Battlestate Games received all of the information uncovered by our investigation into the suspected attack.

Winnti's other technique also includes theft of certificates for code signing in which jeopardised credentials are used to sign malicious files intended for future attacks.

Here is one such certificate belonging to Taiwanese company Zealot Digital:

Name:           ZEALOT DIGITAL INTERNATIONAL CORPORATION

Issuer:         GlobalSign CodeSigning CA - SHA256 - G2

Valid From:     07:43 AM 08/20/2015

Valid To:       07:43 AM 09/19/2016

Valid Usage:    Code Signing

Algorithm:      sha256RSA

Thumbprint:     91e256ac753efe79927db468a5fa60cb8a835ba5

Serial Number:  112195a147c06211d2c4b82b627e3d07bf09

The files signed with it were principally utilised in attacks on organisations in Hong Kong. As they contain Crosswalk & Metasploit injectors, the juicy-potato utility, and samples of FunnySwitch and ShadowPad. Two malware samples containing a previously unknown backdoor were discovered among the files signed with the Zealot Digital certificate.

Later, it was labelled as FunnySwitch, based on the library's name and one of the key classes. The backdoor is written in .NET and can send system evidence and run arbitrary JScript code, supporting six different connection types, including accepting incoming connections.

Besides one of its distinguishing features is acting as a message relay between additional copies of the backdoor and a C2 server. In the recent series of campaigns with subsequent monitoring led to the discovery of several newly originated from undocumented  samples.

"Source: PTSecurities"