Threat Watch

A New Evasion Tactic Seen from the Chinese Winnti Hacking Group (APT41/Wicked Spider)

Researchers at Group-IB have been tracking the Chinese Winnti hacking group over the course of the last year. In 2021, the group, also known as APT41 and Wicked Spider, has been reported by Group-IB to have targeted over 80 organizations, successfully breaching at least 13 worldwide. Known victims of APT41 include hospitality and software development companies in the United States, an aviation company in India, and government entities in Taiwan, among others. APT41, who has been active since at least 2007, has a primary motive of cyber espionage and financial gain.

In the campaigns that were investigated by Group-IB, APT41 used common reconnaissance tools such as Acunetix, Nmap, and SQLmap. While the group has been known to use tactics such as phishing, watering holes, and supply chain attacks in the past, recent attacks saw an uptick of SQL injections. Nearly half of these SQL injection attempts were successful, leading to access to the command shell of servers as well as accessing databases with information such as account lists and passwords.

Notably, APT41 utilized unique deployment methods for their Cobalt Strike beacons. The group encoded the entire payload in base64 and then broke it into several smaller pieces consisting of 775 characters. These smaller pieces were then written to a text file, sometimes taking as many as 154 repetitions to write the entire payload to the file. The group would then use the LOLBin certutil to decode the file. Another unique method the group used was the use of listeners on their Command and Control (C2) servers with over 106 custom SLL certificates, mimicking the likes of companies such as Microsoft and Cloudflare; this allowed the C2 servers to only accept connections from planted beacons, hindering analysis from researchers.


While APT41 has been around for roughly 15 years at this point, the report from researchers at Group-IB is an example of the ever-changing threat landscape. While the break-up of the Cobalt Strike payload is certainly unique, mature cybersecurity teams are likely already monitoring for LOLBin use such as this, highlighting the need for investment into maturing cybersecurity departments across organizations. The use of listeners on their C2 servers to block unexpected traffic is a tactic that will likely be more common in the future to hinder the analysis of security researchers. However, there are still ways around this such as planting a legitimate beacon on a sandbox with a connection to the internet.