Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Chinese Hacking Group Deploys Backdoor
Researchers: Campaign Targets Organizations in Russia and Hong KongResearchers at Positive Technologies say they’ve uncovered a cyberespionage campaign against targets in Hong Kong and Russia by the Chinese hacking group Winnti - also known as APT41 - that’s using a previously unseen backdoor.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The campaign, which began in May 2020, uses a backdoor dubbed "FunnySwitch" to exfiltrate system information from infected networks. Targets include Russian game developer Unity3D and several universities in Hong Kong, the report notes.
"Winnti continues to pursue game developers and publishers in Russia and elsewhere," the researchers say. "Small studios tend to neglect information security, making them a tempting target."
Winnti has previously been linked to China's government. The hacking group, active since 2014, has targeted organizations in the healthcare, high-tech, telecommunications, higher education and travel services sectors, according to FireEye (see: Members of Chinese Espionage Group Develop a 'Side Business')
FireEye also noted in its report that some members of the hacking group had developed a "side business" targeting the global gaming industry for their own financial gain.
Attack Tactics
The Positive Technologies report notes the latest Winnti campaign began in two waves, with the attackers sending the first batch of phishing emails on May 12, 2020. The attackers disguised the payload as a Microsoft LNK shortcut file embedded within PDF documents.
In the second wave, which began in June, the attackers started using curriculum vitae and International English Language Testing System certificate documents as lures to deliver the payloads, the report notes.
When the victims downloaded the malicious files, the devices were then compromised with the FunnySwitch backdoor, the researchers note.
"The backdoor is written in .NET and can send system information as well as run arbitrary JScript code, with support for six different connection types, including the ability to accept incoming connections," Positive Technologies says. "One of its distinguishing features is the ability to act as message relay between different copies of the backdoor and a command-and-control server."
Over the last six years, Winnti has targeted research organizations to steal information (see: Chinese APT Groups Target Cancer Research Facilities: Report).