According to a recent report, the Winnti hacking group or APT41 from China targeted at least 80 organizations last year using various methods. One of the noticeable methods was deploying Cobalt Strike beacons by obfuscating the payload to stay hidden.

Winnti attacks

According to researchers from Group-IB, Winnti had successfully breached the networks of at least 13 organizations, out of the 80 targeted. 
  • The group targeted hospitality and software development firms based in the U.S.; an aviation firm in India; manufacturing, government, and media firms in Taiwan; and software vendors in China.
  • Additionally, it had successfully compromised different university websites in the U.K, Hong Kong, and Ireland; Thai military portals; and different sites belonging to the Indian government.

Attack methods

In these campaigns, Winnti used different methods in its malicious operations, such as phishing, watering holes, supply chain attacks, and various SQL injections.
  • To identify vulnerabilities in targeted networks or propagate laterally within them, the threat group has used various commodities and specialized software to facilitate their attacks.
  • Some of these used specialized software are identified as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, Sublist3r, and Cobalt Strike.

Hiding Cobalt Strike beacons

The hackers encoded the Cobalt Strike payload in base64 and split it into smaller pieces including 775 characters, after that which are echoed in a text file named dns[.]txt.
  • In some instances, it took around 154 repetitions of this action to write the payload onto a file, though in others, the threat group increased the chunk size to 1,024 characters to reduce iterations.
  • For rebuilding the Cobalt Strike executable, they used Certutil LOLBin. Another approach was using listeners with 106 custom SSL certificates, mimicking Facebook, Cloudflare, and Microsoft.
  • These certificates make sure that the listeners on the C2 servers will only accept connections from the planted beacon to thwart away researchers or any outside hackers.

Working hours

Researchers revealed that the group begins at 9 AM and works till around 7 PM. Winnti members do not work long hours, unlike Conti for example. The Conti group works for nearly 14 hours a day and that too without any days off.

Ending notes

Even though researchers are continually tracking Winnti actions, the Chinese group managed to hide part of its operation for around a year. The report provided a list of (mostly) Chinese IP addresses that attackers used to communicate with Cobalt Strike servers. Furthermore, experts noted a specific Pinyin format used to name directories. Pinyin is a romanization system that represents the sounds of the Chinese language using the Latin alphabet.
Cyware Publisher