Cybersecurity researchers revealed an undocumented Chinese Malware used in recent attacks

January 23, 2021
undocumented chinese malware campaign cyberattack winnti apt41

A new disclosure has been made by cybersecurity researchers regarding a series of cyberattacks by a Chinese threat actor targeting government and private organizations in Hong Kong and Russia with a new undocumented malware backdoor 

The attack campaign seems linked to APT41 Winnti. Initially recorded last May 12,2020, the hacking group used LNK shortcut script to extract and run the malware payload. The second attack which was detected on May 30th used a RAR archive that will create two shortcut files when extracted that will bait users to PDF documents that appear to be an IELTS certificate and a curriculum vitae.  

The shortcuts contain links to hosted pages on Zeplin, a recognized collaboration tool for designer and developers that the hackers use to fetch the final stage of the malware, including a shellcode loader (svchast.exe) and a backdoor file called Crosswalk (3t54dE3r.tmp). 

The backdoor Crosswalk was first documented in 2017. It is a modular back door to execute reconnaissance and update modules and shellcodes from a remote hackercontrolled server. 

While this kind of modus has similarities with a Korean APT group Higaisa, which was recorded to also utilize LNK files attached within an email as starting vector of attack on victims in 2020. Cybersecurity researchers noted that the use of Crosswalk backdoor is suggesting the association to Winnti APT. 

The association is also supported by the traced network infrastructure of the sampled data which overlaps with the previous attacks conducted by Winnti, along with some domains they used on their attack on online video game industry back in 2013.  


The recent attacks were no different as among the malware campaign’s targets includes a Unity3D game developer from St. Petersburg, Russia, Battlestate Games.  


Further analysis found on additional attack samples extracted from RAR files contained Cobalt Strike Beacon malware as payload with the hackers referencing recent events such as the US protest related to George Floyd’s death as the lure.  

Winnti indeed continues to pursue game developers and publishers in Russia and other countries. They exploit the fact that small publishers and studios tend to neglect data security, making them the desirable target. Cyberattacks on software developers are dangerous as they also risk exposing private data of endusers as what already happened with CCleaner and ASUS.  

About the author

Leave a Reply