NEWS BRIEF
Winnti, a China-affiliated threat actor, has been linked to a new cyber campaign called RevivalStone, which has been observed targeting Japanese companies within the manufacturing, materials, and energy sectors.
Winnti has been active since at least 2012, but only started targeting Asian manufacturing and materials organizations within the past few years.
The group’s activity, according to researchers at LAC, notably overlaps with a group known as Earth Freybug, a subset of APT41, a well-known cyber espionage group.
In targeting organizations in the Asia-Pacific region, Winnti is exploiting vulnerabilities found in applications like IBM Lotus Domino to deploy malicious malware, including DEATHLOTUS, UNAPIMON, PRIVATELOG, CUNNINGPIGEON, WINDJAMMER, and SHADOWGAZE.
LAC researchers have also observed Winnti exploiting an SQL injection vulnerability in an enterprise resource planning system to drop Web shells on an infected server. Once gaining access, the threat actor collects credentials, performs reconnaissance, and delivers the Winnti malware.
This malware is an improved version, capable of expanding further to breach a managed service provider.
According to a statement by the LAC researchers, “The new Winnti malware has been implemented with features such as obfuscation, updated encryption algorithms, and evasion by security products, and it is likely that this attacker group will continue to update the functions of the Winnti malware and use it in attacks.”
