A new campaign, known as RevivalStone, has been attributed to the China-linked threat actor Winnti, which targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024.
According to a report by Japanese cybersecurity company LAC, this activity overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which is believed to be a subset of the APT41 cyber espionage group, also known as Operation CuckooBees by Cybereason and Blackfly by Symantec.
APT41 is a highly skilled and methodical actor that has been known to mount espionage attacks and poison the supply chain. The group’s campaigns are designed with stealth in mind, using tactics such as custom toolsets that bypass security software and harvest critical information to establish covert channels for persistent remote access.
LAC noted that the group’s espionage activities have targeted a wide range of public and private industry sectors worldwide, with a focus on the use of Winnti malware, which features a unique rootkit that allows for hiding and manipulation of communications, as well as the use of stolen digital certificates.
Winnti, active since at least 2012, has primarily targeted manufacturing and materials-related organizations in Asia, with recent campaigns between November 2023 and October 2024 exploiting weaknesses in public-facing applications like IBM Lotus Domino to deploy malware, including:
- DEATHLOTUS – A passive CGI backdoor that supports file creation and command execution
- UNAPIMON – A defense evasion utility written in C++
- PRIVATELOG – A loader that drops Winnti RAT, which delivers a kernel-level rootkit named WINNKIT
- CUNNINGPIGEON – A backdoor that uses Microsoft Graph API to fetch commands and perform file and process management
- WINDJAMMER – A rootkit that intercepts TCPIP Network Interface and creates covert channels with infected endpoints
- SHADOWGAZE – A passive backdoor that reuses listening ports from IIS web servers
The latest attack chain documented by LAC exploited an SQL injection vulnerability in an unspecified enterprise resource planning (ERP) system to drop web shells such as China Chopper and Behinder on the compromised server, using the access to perform reconnaissance, collect credentials, and deliver an improved version of the Winnti malware.
The intrusion expanded to breach a managed service provider (MSP) by leveraging a shared account, followed by using the company’s infrastructure to propagate the malware to three other organizations.
LAC found references to TreadStone and StoneV5 in the RevivalStone campaign, with TreadStone being a controller designed to work with the Winnti malware, and StoneV5 possibly indicating Version 5 of the malware.
Researchers noted that the new Winnti malware has been implemented with features such as obfuscation, updated encryption algorithms, and evasion by security products, and it is likely that the attacker group will continue to update the functions of the Winnti malware and use it in attacks.
This disclosure comes as Fortinet FortiGuard Labs detailed a Linux-based attack suite called SSHDInjector, associated with another Chinese nation-state hacking group known as Daggerfly, which is equipped to hijack the SSH daemon on network appliances for persistent access and covert actions.
The malware suite is engineered for data exfiltration, listening for incoming instructions from a remote server to enumerate running processes and services, perform file operations, launch terminals, and execute terminal commands.
