Winnti ..APT 41 in action

A series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware including a previously undocumented backdoor.

APT used LNK shortcuts to extract and run the malware payload. A second attack detected used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate.

The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that includes a shellcode loader (“svchast.exe”) and a backdoor called Crosswalk (“3t54dE3r.tmp”).

Crosswalk a modular backdoor capable of carrying out system reconnaissance and receiving additional modules from an attacker-controlled server as shellcode.

This modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims involving Winnti

The new wave of attacks is no different. Notably, among the targets include Battlestate Games.Also additional attack samples in the form of RAR files that contained Cobalt Strike Beacon as the payload.

In another instance, Compromised certificates belonging to a Taiwanese company called Zealot Digital were abused to strike organizations in Hong Kong with Crosswalk and Metasploit injectors, as well as ShadowPad, Paranoid PlugX, and a new .NET backdoor called FunnySwitch.

The backdoor, still under development, is capable of collecting system information and running arbitrary JScript code. It also shares a number of common features with Crosswalk. Earlier Paranoid PlugX linked to attack on video game industry in 2017.