Chinese hackers have been running riot on unsecured Windows devices

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Researchers from Cybereason have uncovered a new espionage campaign that’s been active for at least three years and includes new malware strains, rarely-seen abuse of certain Windows features, and a “complex infection chain”.

According to the company's report, a Chinese state-sponsored actor known as Winnti (aka APT 41, BARIUM, or Blackfly) has been targeting numerous technology and manufacturing companies in North America, Europe, and Asia since, at least, 2019.

The goal was to identify and exfiltrate sensitive data, such as intellectual property developed by the victims, sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. The researchers believe the attackers stole hundreds of gigabytes of valuable intel.


Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Rarely seen abuse

This data also helped the attackers map out their victims’ networks, organizational structure, as well as endpoints, giving them a head start, should they decide to escalate things further (for example, with ransomware).

In its campaign, Winnti advanced persistent threat actor deployed new versions of already known malware (Spyder Loader, PRIVATELOG, and WINNKIT), but it also deployed previously unknown malware - DEPLOYLOG.

To deploy the malware, the group opted for a “rarely seen” abuse of the Windows CLFS Feature, the researchers said. Apparently, the group leveraged the Windows CLFS (Common Log File System) mechanism and NTFS transaction manipulations, allowing it to hide the payloads and evade being detected by security products.

The payload delivery itself was described as “intricate and interdependent”, resembling a house of cards. As a result, it was very difficult for researchers to analyze each component separately. 

Still, they managed to piece the puzzle together, and are claiming the Winnti malware arsenal includes Spyder (a sophisticated modular backdoor), STASHLOG (the initial deployment tool that “stashes” payloads in Windows CLFS), SPARKLOG (extracts and deploys PRIVATELOG to escalate privileges and achieve persistence on the target endpoint), PRIVATELOG (extracts and deploys DEPLOYLOG), and DEPLOYLOG (deploys the WINNKIT rootkit). Finally, there’s WINNKIT, the Winnti kernel-level rootkit.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.