Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Chinese Hacking Group Deploys Backdoor

Researchers: Campaign Targets Organizations in Russia and Hong Kong
Chinese Hacking Group Deploys Backdoor

Researchers at Positive Technologies say they’ve uncovered a cyberespionage campaign against targets in Hong Kong and Russia by the Chinese hacking group Winnti - also known as APT41 - that’s using a previously unseen backdoor.

See Also: Live Webinar | Incredible Email Hacks You'd Never Expect and How You Can Stop Them

The campaign, which began in May 2020, uses a backdoor dubbed "FunnySwitch" to exfiltrate system information from infected networks. Targets include Russian game developer Unity3D and several universities in Hong Kong, the report notes.

"Winnti continues to pursue game developers and publishers in Russia and elsewhere," the researchers say. "Small studios tend to neglect information security, making them a tempting target."

Winnti has previously been linked to China's government. The hacking group, active since 2014, has targeted organizations in the healthcare, high-tech, telecommunications, higher education and travel services sectors, according to FireEye (see: Members of Chinese Espionage Group Develop a 'Side Business')

FireEye also noted in its report that some members of the hacking group had developed a "side business" targeting the global gaming industry for their own financial gain.

Attack Tactics

The Positive Technologies report notes the latest Winnti campaign began in two waves, with the attackers sending the first batch of phishing emails on May 12, 2020. The attackers disguised the payload as a Microsoft LNK shortcut file embedded within PDF documents.

In the second wave, which began in June, the attackers started using curriculum vitae and International English Language Testing System certificate documents as lures to deliver the payloads, the report notes.

When the victims downloaded the malicious files, the devices were then compromised with the FunnySwitch backdoor, the researchers note.

"The backdoor is written in .NET and can send system information as well as run arbitrary JScript code, with support for six different connection types, including the ability to accept incoming connections," Positive Technologies says. "One of its distinguishing features is the ability to act as message relay between different copies of the backdoor and a command-and-control server."

Over the last six years, Winnti has targeted research organizations to steal information (see: Chinese APT Groups Target Cancer Research Facilities: Report).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.