A new cyber campaign named RevivalStone has been attributed to the China-linked threat actor known as Winnti, targeting Japanese firms in the manufacturing, materials, and energy sectors as recently as March 2024. This initiative, as outlined by Japanese cybersecurity firm LAC, coincides with activities tracked by Trend Micro as Earth Freybug, recognized as a subgroup of the APT41 cyber espionage faction. Additionally, Cybereason refers to this cluster as Operation CuckooBees, while Symantec identifies it as Blackfly.
The APT41 group is known for its adeptness at carrying out espionage operations as well as infiltrating supply chains. Their methods are characterized by stealth, deploying a sophisticated array of techniques to avoid detection while utilizing a custom toolkit designed to navigate existing security measures. This includes gathering sensitive information and creating covert channels for ongoing remote access.
LAC details that the group’s espionage efforts align with strategic national interests, targeting a diverse range of public and private sectors around the globe. Notably, Winnti malware is a hallmark of their attacks, featuring a distinct rootkit that enables the concealment and manipulation of communications, alongside the use of legitimately stolen digital certificates.
Since at least 2012, Winnti has primarily focused on Asia’s manufacturing and materials industries. The group has been active in exploiting vulnerabilities in public-facing applications, with recent operations between November 2023 and October 2024 utilizing weaknesses in IBM Lotus Domino among other platforms to deploy various malware strains. This includes the passive CGI backdoor DEATHLOTUS, a C++ defense evasion tool UNAPIMON, and the Winnti RAT loader, which delivers a kernel-level rootkit dubbed WINNKIT.
The latest campaign reported by LAC indicates that the attack chain leveraged an SQL injection vulnerability within an unspecified enterprise resource planning (ERP) system, allowing attackers to deploy web shells such as China Chopper and Behinder. With this foothold, they conducted reconnaissance, acquired credentials for lateral movement, and introduced an enhanced variant of Winnti malware.
This intrusion has reportedly escalated further with the targeting of a managed service provider by exploiting a shared account. This breach allowed the adversaries to utilize the MSP’s infrastructure to disseminate malware to three additional organizations.
Alongside the malware’s findings, references to TreadStone and StoneV5 in connection with the RevivalStone campaign have also been identified. TreadStone serves as a controller for Winnti malware, while StoneV5 may suggest an updated version of the malware involved in this operation, potentially Winnti v5.0. Researchers note that this new iteration includes enhancements such as obfuscation and advanced encryption methods to evade detection by security solutions.
The disclosure coincides with analyses from Fortinet FortiGuard Labs, which have shed light on a Linux-based attack suite known as SSHDInjector. This suite has the capability to hijack SSH daemons on network devices through malware injection, facilitating persistent access and covert operations since November 2024. Associated with another Chinese nation-state hacking group dubbed Daggerfly, SSHDInjector is specifically designed for data exfiltration by listening for commands from a remote server.
The cyber landscape continues to evolve, and as organizations strive to fortify their defenses against such sophisticated threats, understanding the tactics and techniques employed by adversaries—like those defined in the MITRE ATT&CK framework—remains crucial. Notably, tactics such as initial access, persistence, and privilege escalation appear relevant in analyzing these recent incidents, emphasizing the need for robust cybersecurity measures in the face of evolving threats.
