Researchers at Group-IB have been tracking the Chinese Winnti hacking group over the course of the last year. In 2021, the group, also known as APT41 and Wicked Spider, has been reported by Group-IB to have targeted over 80 organizations, successfully breaching at least 13 worldwide. Known victims of APT41 include hospitality and software development companies in the United States, an aviation company in India, and government entities in Taiwan, among others. APT41, who has been active since at least 2007, has a primary motive of cyber espionage and financial gain.
In the campaigns that were investigated by Group-IB, APT41 used common reconnaissance tools such as Acunetix, Nmap, and SQLmap. While the group has been known to use tactics such as phishing, watering holes, and supply chain attacks in the past, recent attacks saw an uptick of SQL injections. Nearly half of these SQL injection attempts were successful, leading to access to the command shell of servers as well as accessing databases with information such as account lists and passwords.
Notably, APT41 utilized unique deployment methods for their Cobalt Strike beacons. The group encoded the entire payload in base64 and then broke it into several smaller pieces consisting of 775 characters. These smaller pieces were then written to a text file, sometimes taking as many as 154 repetitions to write the entire payload to the file. The group would then use the LOLBin certutil to decode the file. Another unique method the group used was the use of listeners on their Command and Control (C2) servers with over 106 custom SLL certificates, mimicking the likes of companies such as Microsoft and Cloudflare; this allowed the C2 servers to only accept connections from planted beacons, hindering analysis from researchers.