NEWS BRIEF

Winnti

, a cyber threat group affiliated with China, has been identified as the perpetrator of a new campaign known as RevivalStone. This campaign has been observed targeting companies in Japan, primarily those operating in the manufacturing, materials, and energy sectors.

Winnti has been actively engaging in cyber activities since at least 2012. However, it was only in recent years that the group began focusing on organizations within the manufacturing and materials sectors in Asia.

Researchers at LAC have observed that Winnti’s activities overlap with those of another group known as

Earth Freybug

, which is a subset of the well-known cyber espionage group

APT41

.

In its efforts to target organizations in the Asia-Pacific region, Winnti exploits vulnerabilities found in applications such as IBM Lotus Domino. This allows the group to deploy various types of malicious malware, including DEATHLOTUS, UNAPIMON, PRIVATELOG, CUNNINGPIGEON, WINDJAMMER, and SHADOWGAZE.

LAC researchers

have also found that Winnti exploits an SQL injection vulnerability in an enterprise resource planning system. This allows the group to drop Web shells on an infected server, after which they collect credentials, conduct reconnaissance, and deliver the Winnti malware.

This updated version of the malware has enhanced capabilities, enabling it to expand its reach and breach a managed service provider.

According to

a statement by LAC researchers

, the new Winnti malware features advanced techniques such as obfuscation, updated encryption algorithms, and evasion by security products. It is likely that this attacker group will continue to update the functions of the Winnti malware and use it in future attacks.