Full Report
The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41
Analysis Summary
# Threat Actor: Winnti (and associated APT41 cluster)
## Attribution & Identity
* **Primary Attribution:** China-linked threat actor.
* **Associated Groups/Clusters:** Earth Freybug, APT41 (assessed to be a subset), Operation CuckooBees, Blackfly.
* **Historical Activity Start:** Active since at least 2012.
* **Note:** APT41 is described as highly skilled, methodical, and capable of espionage and supply chain poisoning attacks aligned with strategic national objectives.
## Activity Summary
The actor was attributed to a new campaign dubbed **RevivalStone** in March 2024. This campaign targeted Japanese companies in the manufacturing, materials, and energy sectors. The intrusion chain involved exploiting an SQL injection vulnerability in an Enterprise Resource Planning (ERP) system to deploy web shells ($\text{China Chopper}$ and $\text{Behinder}$). This access was used for reconnaissance, credential harvesting, lateral movement, and delivering an improved version of the Winnti malware. The scope expanded by breaching a Managed Service Provider (MSP) via a shared account, weaponizing its infrastructure to attack three other organizations. Recent activity (Nov 2023 - Oct 2024) has focused on the APAC region by exploiting weaknesses in public-facing applications like IBM Lotus Domino.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Exploiting SQL injection vulnerabilities in ERP systems.
* **Initial Execution/Persistence:** Dropping $\text{China Chopper}$ and $\text{Behinder}$ web shells.
* **Command & Control (C2)/Evasion:**
* Use of $\text{CUNNINGPIGEON}$, a backdoor that fetches commands via Microsoft Graph API from emails.
* Use of stolen, legitimate digital certificates embedded in malware.
* Use of a unique $\text{Winnti}$ kernel-level rootkit ($\text{WINNKIT}$) for hiding and manipulating communications.
* **Lateral Movement:** Leveraging breached MSP infrastructure via shared accounts.
* **Malware Usage:** Characterized by the use of the $\text{Winnti}$ malware and related command controllers like $\text{TreadStone}$.
* **Potential New Version:** References to $\text{StoneV5}$ suggest a possible $\text{Winnti v5.0}$ featuring updated encryption, obfuscation, and security product evasion.
## Targeting
* **Sectors:** Manufacturing, materials, energy, and organizations related to the supply chain (implied by $\text{APT41}$ description).
* **Geography:** Primarily targeting Asia, with the RevivalStone campaign focused on Japan. General scope includes "a wide range of public and private industry sectors around the world."
* **Victims:** Japanese companies in specified sectors; an unnamed Managed Service Provider (MSP) and three subsequent victim organizations reached via the MSP.
## Tools & Infrastructure
* **Malware Families:**
* **Winnti RAT** (aka $\text{DEPLOYLOG}$)
* **DEATHLOTUS** (Passive CGI backdoor)
* **UNAPIMON** (Defense evasion utility)
* **PRIVATELOG** (Loader for Winnti RAT)
* **WINNKIT** (Kernel-level rootkit)
* **CUNNINGPIGEON** (Backdoor using Microsoft Graph API)
* **WINDJAMMER** (Rootkit capable of intercepting $\text{TCPIP}$ and setting up covert intranet channels)
* **SHADOWGAZE** (Passive backdoor reusing IIS web server ports)
* **TreadStone** (Controller for $\text{Winnti}$)
* **Web Shells:** $\text{China Chopper}$, $\text{Behinder}$ ($\text{Bingxia}$/$\text{IceScorpion}$)
* **Infrastructure:** C2 communication via Microsoft Graph API; potential use of $\text{TreadStone}$ for control.
## Implications
This actor remains highly sophisticated, capable of maintaining stealth through kernel-level rootkits ($\text{WINNKIT}$) and leveraging legitimate services $(\text{Microsoft Graph API})$ for command delivery. The attack expanding through an MSP highlights a significant risk to the software supply chain and interconnected third-party vendors, allowing for broad, targeted impact beyond the initial breach victim. The continuous evolution of the $\text{Winnti}$ malware ($\text{v5.0}$ potential) suggests ongoing efforts to bypass modern security controls.
## Mitigations
* Implement strict input validation, especially on ERP systems, to prevent $\text{SQL}$ injection attacks.
* Monitor for and restrict anomalous usage of $\text{Microsoft Graph API}$ for command execution outside of expected application behavior.
* Rigorously audit access rights and shared accounts, particularly those used for $\text{MSP}$ infrastructure access.
* Employ advanced endpoint detection and response (EDR) solutions capable of detecting kernel-level and rootkit rootkit activity.
* Scrutinize network traffic for covert channels possibly established by rootkits like $\text{WINDJAMMER}$.