HQ/EMEAFind out how we can help your business
One of China’s state-sponsored cybercriminal organisations, Winnti Group, has recently targeted Asian entities. This threat group targets subsidiaries of a massive Asian conglomerate specialising in materials and composites.
This ongoing cybercriminal activity is part of a continuous threat operation that started last year. The Winnti operators are exclusively executing information gathering and theft.
The Winnti Group utilised several malicious tools to run its campaign.
According to investigations, the Winnti Group leveraged multiple kits such as Winnkit backdoor, Mimikatz, and ForkPlayground to acquire abilities, such as capturing screenshots, process, hollowing, credential dumping, proxy configuration, and SQL querying.
The Chinese-backed threat group has been active for more than a decade already. The group has been notorious for targeting the gaming community, but its latest operations are for data-gathering purposes against essential sectors.
A few weeks ago, the Clasiopa group targeted the materials sector before the earlier-mentioned group made their move against the department. Researchers discovered that the Clasiopa group used a diverse toolset that includes a modified version of Lilith RAT, Atharvan RAT, a custom proxy tool, and Thumbsender.
In addition, the researchers claimed that the group acquired access to public-facing servers by adopting the brute-forcing technique. The custom RAT, Atharvan, gave its operators various advanced features, including its capability to configure scheduled communications with the attacker’s command-and-control server.
Other threat actors also targeted other Asian organisations in the past months. One confirmed threat actor is Hydrochasma, which targeted Asian medical labs and shipping firms.
The group has primarily targeted entities connected to COVID-19 vaccines and treatments. Furthermore, a different group of threat actors stole troves of login credentials for data centres in multiple Asian countries.
Cybersecurity experts suggest that Asian organisations should check the publicly available IOCs provided by researchers regarding the attacks of the Winnti Group.
This cybercriminal group has stood against the test of time since it is one of the oldest cybercriminal organisations in China. Winnti is evolving since it can run cyberespionage and financially motivated campaigns.
