Winnti Hackers Split Cobalt Strike into 154 Pieces to Evade Detection
The Chinese Winnti hacking group, also known as ‘APT41’ or ‘Wicked Spider,’ targeted at least 80 organizations last year and successfully breached the networks of at least thirteen.
This is according to Group-IB’s researchers, who have been following Wintti’s activities and describe 2021 as one of the most “intense” years for the Chinese hackers.
The researchers say that Wintti targeted hospitality and software development firms in the U.S., an aviation firm in India, government, manufacturing, and media entities in Taiwan, and even software vendors in China.
To facilitate their campaigns, Winnti also compromised university websites in the UK, Ireland, and Hong Kong, Thai military portals, and various sites belonging to India’s government.
As part of these campaigns, Winnti used various methods in their malicious operations, including phishing, watering holes, supply chain attacks, and numerous SQL injections.
To find vulnerabilities in targeted networks or spread laterally within them, the threat actors used a mixture of commodity and specialized software, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, Sublist3r, and the “venerable” Cobalt Strike.
Hiding their Cobalt Strike beacons
One of Wintti’s unique deployment methods for the Cobalt Strike beacons involved obfuscating the payload on the host to evade detection by software.
According to the Group-IB report, the hackers encode the payload in base64 and break it into a large number of smaller pieces consisting of 775 characters, which are then echoed to a text file named dns.txt as shown below.
In some cases, it took 154 repetitions of this action to write the payload onto a file, but in others, Winnti increased the chunk size to 1,024 characters to reduce the iterations.
To rebuild the Cobalt Strike executable and launch it, the threat actors would use Certutil LOLBin as outlined below:
certutil -decode C:\dns.txt C:\dns.exe certutil -hashfile C:\dns.exe copy C:\dns.exe C:\WINDOWS\dns.exe move C:\dns.exe C:\windows\mciwave.exe
Another unique approach concerning Cobalt Strike deployment by Winnti is using listeners with over 106 custom SSL certificates, mimicking Microsoft, Facebook, and Cloudflare.
These certificates ensure that the listeners on the C2 servers will only accept connections from the planted beacons, locking prying researchers or curious hackers outside.
Having tracked the threat group’s activity for so long, Group-IB is in a position to estimate the approximate location of the hackers based on their working hours, which tend to follow a defined schedule.
The group starts working at 09:00 AM in the morning and wraps up at around 07:00 PM in the afternoon, in the UTC+8 time zone.
This puts the hacking group in a good position for real-time operations against targets in Malaysia, Singapore, Russia, Australia, and China.
Notably, Winnti logged very few hours during weekends, although some activity was observed on Sundays, presumably to perform actions that are unlikely to be noticed by understaffed IT teams.
Lurking in the shadows
Even when researchers persistently track Winnti operations, the sophisticated Chinese group remains well-hidden and continues its cyberespionage operations unhindered.
However, Group-IB’s report helps fill in the gaps, outlining the hacking group’s tactics, techniques, and procedures (TTPs) and confirming that Winnti manages to remain elusive.
In January 2022, researchers at Kaspersky discovered ‘MoonBounce’, an advanced UEFI firmware implant deployed in the wild by Winnti against high-profile organizations.
In March 2022, Mandiant reported that Winnti breached government networks in six U.S. states using Cisco and Citrix exploits.
In May 2022, a report by Cybereason uncovered a lot about Winnti’s arsenal and TTPs (techniques, tactics, and procedures) after mapping a previously unknown operation that has been underway since at least 2019.