“CuckooBees” campaign operated by Chinese cyber espionage group has not been detected since 2019
A stealth cyber espionage campaign, which researchers say is almost certainly being carried out by the China-linked group Winnti APTis ongoing and undetected since at least 2019. Its characteristics almost exactly match the FBI publication, also released in 2019, titled China: the Risk to Corporate America (PDF).
The FBI has warned that China will use cyber espionage to steal American intellectual property to facilitate the Chinese government’s Made in China 2025 plan. The Winnti campaign, named CuckooBees, appears to have been specifically designed to do just that – and the CuckooBees campaign began at the same time the FBI issued its warning.
CuckooBees was discovered by Cybereason – after years of running undetected – when its researchers were hired to investigate multiple intrusions targeting technology and manufacturing companies in North America, Europe and Asia. In an analysis of the campaign, Cybereason suggests that over the years CuckooBees has successfully exfiltrated hundreds of gigabytes of information. He further believes with medium to high confidence that CuckooBees is the work of Chinese group Winnti (aka APT41, BARIUM, and Blackfly).
Winnti is a Chinese state-affiliated group that has been around since at least 2010 and is known for its sophistication, stealth, and focus on stealing technological secrets. Mandiant described (PDF) Winnti in March 2022 as “a creative and resourceful adversary”.
Cybereason’s research into the CuckooBees campaign revealed new undocumented malware called Deploylog and new versions of known Winnti malware. Payload hiding and detection evasion were based on rarely seen abuses of Windows CLFS functionality.
The infection chain and payload deployment (which Cybereason calls the Winnti Kill Chain) were implemented with a “house of cards” approach, with each component dependent on the others to function properly. It is therefore difficult to analyze each component separately.
Winnti Kill Chain in Operation CuckooBees (Image credit: Cybereason)
The intrusion started with multiple vulnerabilities in the ERP platform. From there, the attackers installed persistence with some form of WebShell and began reconnaissance and credential flushing. This allowed for lateral movement, which ultimately resulted in the exfiltration of sensitive data from both critical servers and high-level employee terminals.
CuckooBees involved several persistence techniques. The first was to drop in a VBScript version of the WebShell, run it using wscript, and copy the output to an externally accessible folder. This is a technique known since 2006 and strongly linked to China. The WebShell used in this instance was nearly identical to a publicly known WebShell called up_win32.jsp.
The second persistence method provided an additional backup entry point. This involved modifying the WinRM remote management protocol to enable HTTP and HTTPS listeners for remote shell access.
The third method used a signed kernel rootkit, while the fourth technique abused the legitimate IKEEXT and PrintNotify Windows services to load Winnti DLLs and preserve persistence.
The initial reconnaissance used built-in Windows commands to gather information about the compromised server. Once it gained a foothold on multiple machines, Winnti began using Scheduled Tasks to run batch scripts that differed from machine to machine, with different commands based on the attackers’ goals.
Two methods were used for credential dumping: the reg save command and an unknown tool named mfsdll.exe. The known registry backup was used to dump the SYSTEM, SAT and SECURITY registry hives, allowing attackers to decrypt password hashes locally.
Cybereason was unable to retrieve a sample of MFSDLL but did learn how it was used and what it loaded. It loaded a DLL called mktzx64.dllwhich was separately detected by ESET, mentioned in its joint report with Avast on the Microceen RAT, and it may be related to the use of Mimikatz.
Using compromised domain administrator credentials, Winnti then used scheduled tasks to run commands on dozens of compromised machines. During this phase, the attackers were able to move laterally and infect a large number of hosts using the stolen credentials.
For data collection, the attackers used a renamed Chinese-language version of WinRAR to create password-protected archives containing the stolen data. This was renamed to rundll32.exe to hide it and blend in silently with other Windows system files.
Cybereason thinks this campaign is over, but that cannot be certain. Assaf Dahan, Senior Director and Head of Threat Research at Cybereason, pointed out that there are several indications that campaign developments may have been active recently. He also said safety week“There are likely to be many more casualties globally given the level of sophistication of the attack and the fact that the campaign was launched in 2019 and only discovered last year.”
Related: More details emerge on the operations, members of the Chinese group APT41
Related: US senators introduce bipartisan bill to counter threat of hacking in China
Related: New law will help Chinese government store zero-days
Related: The United States and China – A Different Kind of Cyber Warfare