Far from pausing operations during the COVID-19 pandemic, China’s notorious Winnti hacking group has been busy launching new attacks on targets, researchers say.

According to an analysis by QuoIntelligence, as recently as February the group’s signature was detected in an attack against Gravity, the South Korean games company behind the long-running Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online.

Winnti (aka APT41, APT10, Blackfly and BARIUM and many others) is an umbrella name for related hacking groups dating back to 2009 that made their bad name attempting to compromise thousands of companies in search of intellectual property.  Asian games companies have been a recurring specialty.

The main indication found by the researchers was a dropper file (the executable that commences a malware attack) rather than the payload itself (the business end of modern malware).

Nevertheless, a look at the configuration file revealed a string that identified Gravity as the intended target.

Piecing together attacks like this is like assembling  a puzzle with missing pieces crossed with a detective story. With only fragments to go on, researchers often connect malicious files they find by comparing them with other similar files detected by other security companies.

QuoIntelligence documents a second campaign targeting an unnamed German chemical company, another sector Winnti has taken a strong interest in after a string of attacks dating back to 2013.

This was a well-resourced effort that used a stolen digital certificate to sign Winnti malware drivers although the use of the Windows x64 Driver Signature Enforcement Overrider (DSEFix) bypass, which doesn’t work on Windows 10, suggests the malware is old and most likely targeted Windows 7 machines.

It also seems to have used DNS tunnelling, an old technique for sneaking data in and out of networks hidden inside unmonitored traffic to Domain Name Servers.

This hints that although the attack was dated to February this year, it might be linked to operations dating back some years.

As for the difficult issue of connecting all of this to a single group that might be made up of several sub-groups:

While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources.

However, perhaps the biggest thing that marks out the Winnti group hackers is that the individuals alleged to be involved with its activities have been named in at least two lawsuits. The first, from 2017, was launched by Microsoft, the second a year later by the US Justice Department.

It’s a name-and-shame strategy against alleged Chinese hackers that has also seen separate cases brought in relation to attacks on US aerospace companies, and earlier this year for the hacking of Equifax in 2017.



Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner