RevivalStone: new puzzle posed by Winnti group

Friday 4 October 11:00 - 11:30, Red room

Yoshihiro Ishikawa & Takuma Matsumoto (LAC Co)

The Winnti group (also known as Blackfly, Earth Freybug and APT41) has continued its APT attacks against targets in Asian countries. In March 2024 we observed a new attack campaign by the Winnti group, "RevivalStone", which targets several Japanese companies in the manufacturing, materials, and energy sectors. We observed that the APT group compromised a company using an MSP's cloud infrastructure and then, through that company's network, compromised the infrastructure overall. Due to this, several companies utilizing the infrastructure were affected and the infection was propagated to other servers.

Regarding the malware, we have confirmed that some web shells and a newer version of the Winnti malware were used in the campaign. The sophisticated malware is similar to Winnti components reported by Cybereason [1], but with improved functionalities. For example, the encryption algorithm in the Winnti loader and RAT has been changed and unusual device-specific information was used as the decryption key. Also, the deployed rootkit is an unreported version and new C2 commands have been implemented. This indicates that the attackers are continuously evolving tools to achieve their objectives.

An additional interesting point is that the PDB paths of some Winnti malware contain the name "TreadStone", which suggests a connection between Winnti and TreadStone. TreadStone is a malware controller software designed to work with Winnti malware, according to the 2019 U.S. Grand Jury indictment [2], and the name was included in the window title of a controller for Linux in the i-Soon data leaks. Thus, the paths are worth noting when considering attribution.

In this presentation we will share more details about this campaign, including initial attack vectors, newly developed Winnti malware, post-exploitation techniques, and incident artifacts. We think that sharing the latest activities of this threat actors will help blue teams to develop better strategies.

[1] https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive

[2] https://www.justice.gov/media/1095686/dl

Yoshihiro Ishikawa Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC. He is engaged in malware analysis and cyber threat intelligence, especially Advanced Persistent Threat (APT) attacks. Based on the results of research, he has given presentations at several security conferences including AVAR, Botconf, FIRSTCON, HITCON and VB.

Takuma Matsumoto Takuma Matsumoto is a malware analyst at LAC's Cyber Emergency Center, where he works primarily on analysing APT malware targeting East Asia and researching threats. He has nearly 10 years of experience in the security industry, previously monitoring SIEM and creating detection rules. He has spoken at several security conferences including Virus Bulletin, Botconf, FIRSTCON and JSAC.

Back to VB2024 Programme page

Back to VB2024 conference page

Register for VB2024

Other VB2024 papers