China-based Winnti APT has been associated with a new attack campaign that went undetected for years. Known as Operation CuckooBees, the campaign leveraged a previously undocumented malware to steal secret trade data from multiple organizations.
About Operation CuckooBees
- Detected first in 2021, researchers from Cybereason Nocturnus Incident Response Team revealed that the campaign was active since at least 2019.
- The covert attack campaign was aimed at multiple technology and manufacturing organizations across North America, Western Europe, and East Asia.
- The attackers stole intellectual property that included sensitive documents, blueprints, diagrams, formulas, and manufacturing-related data.
- Additionally, the Winnti group pilfered details about the target companies’ business units, network architecture, and credentials that could be used for future attacks. Several organizations’ employee emails and customer data were also compromised in the campaign.
New malware deployed
The report also exposed previously undocumented malware strains used by the Winnti group in the campaign.
- This included a new DEPLOYLOG malware loader and different new versions of Spyder Loader, PRIVATELOG, and WINNKIT.
- As per researchers, these malware strains leveraged the Windows Common Log File System (CLFS) mechanism and NTFS transaction manipulation to evade detection by traditional security products.
Summing it up
As the investigation into Winnti’s campaign is ongoing, researchers have only been able to share partial Indicators of Compromise (IoCs). Besides, it should be noted that the malware authors chose the Windows CLFS mechanism—a rarely seen attack vector—to fly under the radar as they ensnared several organizations across the globe.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_21630281_SMALL.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_91056092.jpg)
