{ "id": "032f581e-e964-4ffe-a097-5a588c40a607", "created_at": "2026-04-06T00:09:43.599302Z", "updated_at": "2026-04-10T03:32:21.546023Z", "deleted_at": null, "sha1_hash": "a7bd9bba0b95f2c2137b5ec5d595667c77804378", "title": "Higaisa or Winnti? APT41 backdoors, old and new", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5087056, "plain_text": "Higaisa or Winnti? APT41 backdoors, old and new\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 18:41:01 UTC\r\nThe PT Expert Security Center regularly spots emerging threats to information security, including both previously known\r\nand newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at\r\nfirst glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as\r\nAPT41, per FireEye) of Chinese origin. Subsequent monitoring led us to discover a number of new malware samples used\r\nby the group in recent attacks. These include various droppers, loaders, and injectors; Crosswalk, ShadowPad, and PlugX\r\nbackdoors; and samples of a previously undescribed backdoor that we have dubbed FunnySwitch. We can confidently state\r\nthat some of these attacks were directed at a number of organizations in Russia and Hong Kong.\r\nIn this article, we will share the results of our investigation of these samples and related network infrastructure, as well as\r\noverlaps with previously described attacks.\r\nContents\r\n1. Higaisa shortcuts\r\n1. Attribution\r\n2. Crosswalk\r\n2. Loaders and injectors\r\n1. Injectors\r\n2. Local shellcode loaders\r\n3. Attack examples\r\n1. An encrypted resume\r\n2. I can't breathe\r\n3. Chat transcript\r\n3. Attacks on Russian game developers\r\n1. Unity3D Game Developer from St. Petersburg\r\n2. HFS with a surprise\r\n4. A purloined certificate\r\n5. FunnySwitch\r\n1. Unpacking\r\n2. Funny.dll\r\n1. Transport protocols\r\n2. Network-level protocol\r\n3. Application-level protocol\r\n4. Supported commands\r\n5. Unused code\r\n6. FunnySwitch vs. Crosswalk\r\n6. ShadowPad\r\n7. PlugX\r\n1. Paranoid PlugX\r\n8. Conclusion\r\n9. PT products detection names\r\n1. PT Sandbox\r\n2. PT Network Attack Discovery\r\n10. Applications\r\n1. Known names of files from which PL shellcode may be loaded\r\n2. IOCs\r\n3. MITRE\r\n1. Higaisa shortcuts\r\nThe first attack dates to May 12, 2020. At the core of the attack is an archive named Project link and New copyright\r\npolicy.rar (75cd8d24030a3160b1f49f1b46257f9d6639433214a10564d432b74cc8c4d020). The archive contains a bait PDF\r\ndocument (Zeplin Copyright Policy.pdf) plus the folder All tort's projects - Web lnks with two shortcuts:\r\nConversations - iOS - Swipe Icons - Zeplin.lnk\r\nTokbox icon - Odds and Ends - iOS - Zeplin.lnk\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 1 of 39\n\nThe structure of malicious shortcuts resembles the sample 20200308-sitrep-48-covid-19.pdf.lnk spread by the Higaisa group\r\nin March 2020.\r\nFigure 1. Comparing command lines in the covid-19 and Zeplin shortcuts\r\nThe mechanism for initial infection is fundamentally the same: trying to open either of the shortcuts leads to running a\r\ncommand that extracts a Base64-encoded CAB archive from the body of the LNK file, after which the archive is unpacked\r\nto a temporary folder. Further actions are performed with the help of an extracted JS script.\r\nFigure 2. Contents of script 34fDFkfSD32.js\r\nBut here is where the similarity with the sample described in our Higaisa report ends: instead, this script copies the payload\r\nto the folder C:\\Users\\Public\\Downloads, achieves persistence by adding itself to the startup folder and adding a scheduler\r\ntask, and runs the payload. The script also sends the output of ipconfig in a POST request to\r\nhttp://zeplin.atwebpages[.]com/inter.php.\r\nThe command run by the shortcut also contains the opening of a URL file extracted from the archive. The name of the URL\r\nfile and the target address depend on which shortcut is opened:\r\nConversations - iOS - Swipe Icons - Zeplin.url goes to:\r\nhttps://app.zeplin.io/project/5b5741802f3131c3a63057a4/screen/5b589f697e44cee37e0e61df\r\nTokbox icon - Odds and Ends - iOS - Zeplin.url goes to:\r\nhttps://app.zeplin.io/project/5c161c03fde4d550a251e20a/screen/5cef98986801a41be35122bb.\r\nThis is the only difference between the two LNK files. In both cases, the target page is hosted on Zeplin, a legitimate service\r\nfor collaboration between designers and developers, and requires logging in to view.\r\nThe payload consists of two files:\r\nsvchast.exe\r\nIt functions as a simple local shellcode loader. The shellcode read from a fixed path. Before starting, the loader\r\nchecks the current year: 2018, 2019, 2020, or 2021.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 2 of 39\n\nFigure 3. Main function in svchast.exe\r\n3t54dE3r.tmp\r\nThe shellcode containing the main payload is the Crosswalk backdoor.\r\nOn May 30, 2020, a new malicious archive, CV_Colliers.rar\r\n(df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d), was detected. It had two shortcuts:\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\nInternational English Language Testing System certificate.pdf.lnk\r\nTheir structure fully matched that of the samples from May 12. In this case, the bait consisted of PDF documents with a CV\r\nand IELTS certificate. Depending on which shortcut was opened, the output of ipconfig was sent to one of two addresses:\r\nhttp://goodhk.azurewebsites[.]net/inter.php or http://sixindent.epizy[.]com/inter.php.\r\nNote that all three intermediate C2 servers are on third-level domains on a free hosting service. When accessed in a browser,\r\neach displays a different decoy page:\r\nFigure 4. Page at zeplin.atwebpages_com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 3 of 39\n\nFigure 5. Page at goodhk.azurewebsites_net\r\nFigure 6. Page at sixindent.epizy_com\r\nThese servers do not play a major role in the functioning of the malware; their precise purpose remains unknown. It may be\r\nthat the malware authors used this to monitor the success of the initial stages of infection, or else tried to lead security teams\r\n\"off the scent\" by masking the malware as a more minor threat.\r\n1.1 Attribution\r\nThese attacks have been studied in detail by Malwarebytes and Zscaler. Based on the similarity of the infection chains,\r\nresearchers classify them as belonging to the Higaisa group.\r\nHowever, detailed analysis of the shellcode demonstrates that the samples actually belong to the Crosswalk malware family.\r\nCrosswalk appeared no later than 2017 and was mentioned for the first time in a FireEye report on the activities of the\r\nAPT41 (Winnti) group.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 4 of 39\n\nFigure 7. From the FireEye report\r\nFigure 8. Fragment of shellcode from 3t54dE3r.tmp\r\nThe network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of\r\nthe C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is\r\nalso found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from\r\na Kaspersky report written in 2013.\r\nFigure 9. Fragment of network infrastructure\r\nAll this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which \"borrowed\" this shortcut\r\ntechnique from Higaisa.\r\n1.2 Crosswalk\r\nCrosswalk is a modular backdoor implemented in shellcode. The main component connects to a C2 server, collects and\r\nsends system information, and contains functionality for installing and running up to 20 additional modules received from\r\nthe server as shellcode.\r\nThe information collected by the module includes:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 5 of 39\n\nOS uptime\r\nNetwork adapter IP addresses\r\nMAC address of one of the adapters\r\nOperating system version and whether it is 32-bit or 64-bit\r\nUsername\r\nComputer name\r\nName of running module\r\nPID\r\nShellcode version and whether it is 32-bit or 64-bit\r\n(The shellcode supports both 32 and 64 bits.) It has two-part version numbers; we found ones including 1.0, 1.10, 1.21, 1.22,\r\n1.25, and 2.0.\r\nFor more detailed analysis of one version of Crosswalk, see the VMware CarbonBlack investigation. Based on version 1.25\r\n(8e6945ae06dd849b9db0c2983bca82de1dddbf79afb371aa88da71c19c44c996), which was used in the attacks with LNK\r\nfiles, here we will describe the networking aspects of the malware in more detail.\r\nCrosswalk has broad capabilities for connecting to C2 servers. The network configuration for this particular sample is at the\r\nend of the shellcode and is XOR encrypted with a 16-byte key. The data structure is as follows:\r\nConfiguration size (4 bytes)\r\nKey (16 bytes)\r\nEncrypted configuration\r\nThe configuration, in turn, contains the following fields:\r\n0x0 heartbeat interval (in seconds)\r\n0x4 reconnect interval (in seconds)\r\n0x8 bitmask for days of the week when connections may be made\r\n0xC (inclusive) lower bound for time of day when connections may be made\r\n0x10 (non-inclusive) upper bound for time of day when connections may be made\r\n0x14 proxy port\r\n0x18 proxy type\r\n0x1C proxy host\r\n0x9C proxy username\r\n0x11C proxy password\r\n0x19C number of C2 servers\r\n0x1A0 array of structures of C2 servers\r\nA C2 server structure consists of the following fields:\r\n0x0 connection type\r\n0x4 port\r\n0x8 whether DNS name resolution is necessary (yes/no)\r\n0xC length of hostname\r\n0x10 hostname\r\nBefore attempting to connect, the backdoor checks whether the current day of the week and time match those allowed in the\r\nconfiguration. Then, one after the other, it tries combinations of possible proxy servers (any indicated in the configuration\r\nplus system proxies) and C2 servers until it connects successfully.\r\nThe communication protocol used between the backdoor and C2 server can be separated logically into two levels:\r\n1. Application-level protocol\r\n2. Transport-level protocol\r\nOn the application level, messages consist of the following fields:\r\nFakeTLS header consisting of 5 bytes:\r\nEntry type and protocol version (3 bytes). For the client these always equal 17 03 01; for the server, they have\r\nrandom values.\r\nData length, not including header (2 bytes)\r\nMessage contents:\r\nCommand ID (4 bytes, little-endian)\r\nCommand data size (4 bytes, little-endian)\r\nClient ID (36 bytes), generated based on the UUID when the backdoor starts operation\r\nCommand data\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 6 of 39\n\nThe first two client–server and server–client messages have command IDs 0x65 and 0x64, respectively. They contain the\r\ndata that will then be used to generate the client and server session keys. The key generation algorithm is detailed in a\r\nZscaler report. For all subsequent messages, the content (not including the FakeTLS header) is transferred in the\r\ncorresponding encrypted session key. AES-128 is the encryption algorithm used.\r\nThe transport-level protocol depends on the connection type indicated in the configuration. Four protocols are supported:\r\n1. Standard TCP connection\r\nApplication-level messages are sent unchanged as TCP segments.\r\n2. Equivalent to HTTP Long Polling\r\nThe client creates two TCP connections. The first will be used to get packets from the server, and the second to send\r\nthem.\r\nDuring the first connection, a GET request is sent to the C2 server. The server replies with headers with code 200 and\r\nContent-Length: 524288000. The subsequent stream of application-level messages from the server to the client is\r\nsent as the body of an HTTP response.\r\nFigure 10. First HTTP connection with C2\r\nAfter the correct response headers are received, the malware establishes a second connection to the same port, where\r\na POST request is made. The header dCy is generated by the client based on the UUID and, it would seem, serves as\r\nthe session ID that links the two connections. After receipt of a response with code 200, subsequent messages from\r\nthe client to the server are sent using separate POST requests.\r\nFigure 11. Second HTTP connection with C2\r\n3. Duplication of socket with TLS connection\r\nThe client establishes a TCP connection and sends an HTTPS request like the following one:\r\nGET /msdn.cpp HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: WinHTTP/1.1\r\nContent-Length: 4294967295\r\nHost: 149.28.152[.]196\r\nThe HTTPS connection is not used again. Subsequent messages are exchanged in the original TCP connection\r\n(without TLS encryption). Subsequent communication between the client and server occurs via protocol 1, except\r\nfor when, at the beginning of the session, the client sends two packets with the FakeTLS header, which starts with the\r\nsequence 17 03 01. The first packet always has length 0. The second has length 0x3A, 0x3C, 0x3E, or 0x40 and\r\ncontains random bytes. We were unable to determine the purpose of these packets.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 7 of 39\n\nFigure 12. Additional packets with FakeTLS header\r\n4. KCP protocol\r\nThis protocol can be implemented on top of any other protocol (including UDP) to ensure quick and reliable data\r\ntransfer. The Crosswalk client uses KCP on top of a TCP connection: KCP protocol data is added to application-level\r\nmessages that are then sent as TCP segments.\r\nFigure 13. Crosswalk message with KCP headers (highlighted in yellow)\r\nNote that in the Crosswalk samples we detected, none of the samples used the KCP protocol in practice. But the code\r\ncontains a full-fledged implementation of this protocol, which could be used in other attacks: the developers would simply\r\nneed to set this connection type in the configuration.\r\nThe diversity of protocols and techniques would seem to protect the backdoor from network traffic inspection.\r\n2. Loaders and injectors\r\nInvestigation of network infrastructure and monitoring of new Crosswalk samples put us onto the scent of other malicious\r\nobjects containing Crosswalk shellcode as their payload. We can categorize these objects into two groups: local shellcode\r\nloaders and injectors. Some of the samples in both groups are also obfuscated with VMProtect.\r\n2.1 Injectors\r\nFigure 14. Code for injecting shellcode into a running process\r\nThe injectors contain typical code that obtains SeDebugPrivilege, finds the PID of the target process, and injects shellcode\r\ninto it. Depending on the sample, explorer.exe and winlogon.exe are the target processes.\r\nThe samples we found contain one of three payloads:\r\nCrosswalk\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 8 of 39\n\nMetasploit stager\r\nFunnySwitch (discussed later in this report)\r\nCrosswalk and FunnySwitch shellcode is located in the data sections \"as-is,\" while the samples with Metasploit show\r\nadditional XOR encryption with the key \"jj1\".\r\n2.2 Local shellcode loaders\r\nThe main function of the malware is to extract shellcode and run it in an active process. The malware samples belong to one\r\nof two categories, based on the source of shellcode that they use: in the original executable or in an external file in the same\r\ndirectory.\r\nMost of the loaders start by checking the current year, much like the samples from the LNK file attacks.\r\nFigure 15. Code of the loader's main function\r\nAfter the malware finds the API functions it needs, it decrypts the string Global\\0EluZTRM3Kye4Hv65IGfoaX9sSP7VA\r\nwith the ChaCha20 algorithm. In one older version, to prevent being run twice the loader creates a mutex with the name\r\nGlobal\\5hJ4YfUoyHlwVMnS1qZkd2tEmz7GPbB. But in recent samples, the decrypted string is not used in any way.\r\nPerhaps part of the code was accidentally deleted during the development process.\r\nAnother artifact found in some samples is the unused string CSPELOADKISSYOU. Its purpose remains unclear.\r\nFigure 16. String \"CSPELOADKISSYOU\" in data section\r\nIn the self-contained loaders, the shellcode is located in a PE file overlay. The shellcode is stored in a curious way: data\r\nstarts from 0x60 bytes of the header, followed by the (encrypted) shellcode. The data length is stored at offset –0x24 from\r\nthe end of the executable. The header always starts with the PL signature. The other header data is used for decryption: a 32-\r\nbyte key is located at offset 0x28 and a 12-byte nonce for the ChaCha20 algorithm is at offset 0x50.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 9 of 39\n\nFigure 17. Handling of PL shellcode in the loader body (ChaCha20)\r\nThe ChaCha20 implementation is not always present: some of the samples use Microsoft CryptoAPI with AES-128-CBC for\r\nencryption. We can also find key information here in the structure of the PL shellcode: at offset 0x28, there are 32 bytes that\r\nare hashed with MD5 to obtain a cryptographic key.\r\nFigure 18. Handling of PL shellcode in the loader body (AES-128)\r\nOlder loader versions use Cryptography API: Next Generation (BCrypt* functions) in an equivalent way. They use AES-128\r\nin CFB mode as the encryption algorithm.\r\nThe loaders that rely on external files have a similar code structure and one of two encryption types: ChaCha20 or AES-128-\r\nCBC. The file should contain PL shellcode of the same format as in the self-contained loader. The name depends on the\r\nspecific sample and is encrypted with the algorithm used in it. It can contain a full file path (although we did not detect any\r\nsuch samples) or a relative path.\r\nFigure 19. Building the file name with PL shellcode\r\nAmong all the loaders, we encountered three different shellcode payloads:\r\nCrosswalk\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 10 of 39\n\nMetasploit stager\r\nCobalt Strike Beacon\r\n2.3 Attack examples\r\n2.3.1 An encrypted resume\r\nThis malicious file is a RAR archive, electronic_resume.pdf.rar\r\n(025e053e329f7e5e930cc5aa8492a76e6bc61d5769aa614ec66088943bf77596), with two files:\r\nFigure 20. Contents of electronic_resume.pdf.rar\r\nThe first file might look like bait, but trying to open it in a PDF viewer gives an error, since it is practically a copy of the\r\nlatter.\r\nThe file Электронный читатель резюме.exe (\"Electronic reader resume.exe\") is an executable self-contained loader for\r\nPL shellcode. It contains Cobalt Strike Beacon as the payload.\r\nFigure 21. Configuration of Cobalt Strike Beacon\r\nThe archive was distributed on approximately June 1, 2020, from the IP address 66.42.48[.]186 and was available at\r\nhxxp://66.42.48[.]186:65500/electronic_resume.pdf.rar. The same IP address was used as C2 server.\r\nThe modification time of the archive files, as well as the date on which the archive was found the server, point to the attack\r\nbeing active in late May or early June. The Russian filenames suggest that the targets were Russian-speaking users.\r\n2.3.2 I can't breathe\r\nThe attack is practically identical to the previous one: malware is distributed in a RAR archive video.rar\r\n(fc5c9c93781fbbac25d185ec8f920170503ec1eddfc623d2285a05d05d5552dc) and consists of two .exe files. The archive is\r\navailable on June 1 on the same server at the address hxxp://66.42.48[.]186:65500/video.rar.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 11 of 39\n\nFigure 22. Contents of video.rar\r\nThe executable files are self-contained loaders of Cobalt Strike Beacon PL shellcode with a similar configuration and the\r\nsame C2 server.\r\nThe bait is notable for the topic: the hackers were attempting to exploit U.S. protests related to the death of George Floyd.\r\nThe main bait was a video with the name \"I can't breathe-America's Black Death protests that the riots continue to escalate\r\nand ignite America!.mp4\" involving reporting on protests in late May, 2020. Judging by the logo, the source of the video\r\nwas Australian portal XKb, which releases news materials in Chinese.\r\nFigure 23. Still frame from the bait video\r\n2.3.3 Chat transcript\r\nThe archive запись чата.7z (\"chat transcript.7z\")\r\n(e0b675302efc8c94e94b400a67bc627889bfdebb4f4dffdd68fdbc61d4cd03ae) contains three identical executable files with\r\nnames resembling \"запись чата-1.png____________________________________.exe\" (\"chat transcript-1.png____________________________________.exe\") in attacks again targeting Russian-speaking users.\r\nFigure 24. Contents of the archive, the name of which promises a \"chat transcript\"\r\nThe malicious files are self-contained PL shellcode loaders, but the payload here is Crosswalk version 2.0.\r\nIts configuration implies three ways to connect to the C2 server at 149.28.23[.]32:\r\nTransport protocol 3, port 8443\r\nTransport protocol 2, port 80\r\nTransport protocol 1, port 8080\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 12 of 39\n\nFigure 25. Fragment of the Crosswalk configuration\r\n3. Attacks on Russian game developers\r\nThe Winnti group first became famous for its attacks on computer game developers. Such attacks continue today, and\r\nRussian companies are also among their targets.\r\n3.1 Unity3D Game Developer from St. Petersburg\r\nThe attack is based on the archive Resume.rar (4d3ad3ff281a144d9a0a8ae5680f13e201ce1a6ba70e53a74510f0e41ae6a9e6),\r\nwhich contains just one file: CV.chm.\r\nRunning the file without security updates installed causes two windows to appear simultaneously: CHM help in HTML Help\r\nand a PDF document. They contain the same information: a curriculum vitae for the position of game developer or database\r\nmanager at a St. Petersburg company.\r\nThe CV contains plausible contact information, with a St. Petersburg address, email address ending with \"@yandex.ru\", and\r\nphone number starting with \"+7\" (Russia's country code). The only obviously fake aspect is the phone number: 123-45-67.\r\nFigure 26. Result of opening the CHM file\r\nThe PDF file opens due to the script pass.js, which is contained in the CHM file and referenced in the code of the HTML\r\npage.\r\nFigure 27. Reference to pass.js in HTML code\r\nThe script uses a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML\r\nhelp file to the folder C:\\Users\\Public for launching the next stage of the infection: the file resume.exe, which is also\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 13 of 39\n\nembedded inside the CHM file.\r\nFigure 28. Deobfuscated script pass.js\r\nresume.exe is an advanced shellcode injector of which we had encountered only one sample as of the writing of this article.\r\nBefore it gets down to business, this malware, like many other samples we have seen from Winnti, checks the current year.\r\nCurrent processes are checked and the malware will not run if any of the following are active:\r\nollydbg.exe|ProcessHacker.exe|Fiddler.exe|windbg.exe|tcpview.exe|idaq.exe|idaq64.exe|tcpdump.exe|Wireshark.exe.\r\nOn first launch, shellcode will be taken from MyResume.pdf; on subsequent launches, winness.config is the shellcode\r\nsource.\r\nFigure 29. Main function in resume.exe\r\nMyResume.pdf is unpacked from the CHM file. Data read by resume.exe has been added to the end of the PDF file. If the\r\nuser opens it directly, a message warns that the document is password-protected.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 14 of 39\n\nFigure 30. MyResume.pdf, as viewed in Adobe Acrobat Reader\r\nCompared to the PL shellcode, the data structure is more complex and contains the following:\r\nROR-13 hash of data starting from byte 0x24 (0x20, 4 bytes)\r\nNonce for algorithm ChaCha20 (0x24, 12 bytes)\r\nChaCha20-encrypted text (0x30):\r\nName of PDF file (+0x0)\r\nSize of PDF file (+0x20)\r\nSize of auxiliary shellcode (+0x24)\r\nSize of main shellcode (+0x28)\r\nConstant 0xE839E900 (+0x2C)\r\nPDF file\r\nAuxiliary shellcode\r\nMain shellcode\r\nOn first launch of resume.exe, the encrypted portion of the data is decrypted (the key is hard-coded in the executable) and\r\nthree sections are extracted (PDF, auxiliary shellcode, and main shellcode). The PDF file is saved with a name resembling\r\n_797918755_true.pdf in a temporary folder. It then opens for the user (the second window in the screenshot on Figure 26,\r\nnext to HTML Help).\r\nFigure 31. resume.exe: actions on first launch\r\nThe payload runs in a new process %windir%\\System32\\spoolsv.exe, into which the main shellcode is injected: Cobalt\r\nStrike Beacon with C2 address 149.28.84[.]98.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 15 of 39\n\nInjection occurs by creating a section via a ZwCreateSection call, getting access to it from the parent and child processes via\r\nZwMapViewOfSection calls, copying shellcode to the section, and placing a jump to the shellcode at the entry point for\r\nspoolsv.exe.\r\nFor persistence, resume.exe (under the name winness.exe) is copied to the folder %appdata%\\Microsoft\\AddIns\\ and the\r\nmain shellcode is re-encrypted and saved in the same location, with the name winness.config. To ensure autostart, auxiliary\r\nshellcode writes the file svchost.bat, which transfers control to winness.exe, to the startup folder. For avoiding detection at\r\nthis stage, the auxiliary shellcode is injected in a similar way into spoolsv.exe, independently loads the necessary functions,\r\nand writes to file in a separate thread.\r\nWhen winness.exe runs after a restart, the main shellcode is decrypted from winness.config and injected into spoolsv.exe in\r\nexactly the same way.\r\n3.2 HFS with a surprise\r\nFigure 32. HFS server on Winnti infrastructure\r\nOn June 23, 2020, while investigating Winnti network infrastructure, we detected an active HttpFileServer on one of the\r\nactive C2 servers. Four images were there for all to see: an email icon, screenshot from a game with Russian text, screenshot\r\nof the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the\r\nMicrosoft website.\r\nFigure 33. 13524222881554126454-128.png\r\nFigure 34. EaVpPBNXgAE8s3r.jpg\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 16 of 39\n\nFigure 35. website_battlestategames.png\r\nFigure 36. windows_update.png\r\nThe screenshots related to Battlestate Games, the St. Petersburg-based developer of Escape from Tarkov.\r\nAlmost two months later, on August 20, 2020, the file\r\nCV.pdf____________________________________________________________.exe\r\n(e886caba3fea000a7de8948c4de0f9b5857f0baef6cf905a2c53641dbbc0277c) was uploaded to VirusTotal. This file is a self-contained loader for Cobalt Strike Beacon PL shellcode.\r\nIts C2 server is interesting: update.facebookdocs[.]com.\r\nWe discovered that the main domain facebookdocs[.]com hosted a copy of the official site of Battlestate Games:\r\nwww.battlestategames.com. Via an associated C2 IP address (108.61.214[.]194), we found an equivalent page on the\r\nphishing domain www.battllestategames[.]com (note the double \"l\").\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 17 of 39\n\nFigure 37. Copy of the official Battlestate Games site\r\nWhen used as C2 servers, such domains give attackers the ability to mask malicious traffic as legitimate activity within the\r\ncompany.\r\nThe combination of these two finds makes us think that we detected traces of preparation for, and subsequent successful\r\nimplementation of, an attack on Battlestate Games.\r\nMoreover, the match between the job listing for Unity3D developer (as seen in the screenshot from the official site) and\r\ncontents of the curriculum vitae in the file CV.chm (as described in the previous section), considering how closely they\r\nmatched in time as well as the company and \"applicant\" both being located in St. Petersburg, suggests a connection between\r\nthese attacks. Most likely, the CHM file attack was used at the beginning stage of the breach, although we do not have solid\r\nconfirmation for this.\r\nUse of typosquatting domains for C2 servers is typical of Winnti and has been described in a Kaspersky report.\r\nBattlestate Games received all of the information uncovered by our investigation into the suspected attack.\r\n4. A purloined certificate\r\nAnother favorite Winnti technique is theft of certificates for code signing. Compromised certificates are used to sign\r\nmalicious files intended for future attacks.\r\nWe found one such certificate belonging to Taiwanese company Zealot Digital:\r\nName: ZEALOT DIGITAL INTERNATIONAL CORPORATION\r\nIssuer: GlobalSign CodeSigning CA - SHA256 - G2\r\nValid From: 07:43 AM 08/20/2015\r\nValid To: 07:43 AM 09/19/2016\r\nValid Usage: Code Signing\r\nAlgorithm: sha256RSA\r\nThumbprint: 91e256ac753efe79927db468a5fa60cb8a835ba5\r\nSerial Number: 112195a147c06211d2c4b82b627e3d07bf09\r\nThe files signed with it were predominantly used in attacks on organizations in Hong Kong. They include Crosswalk and\r\nMetasploit injectors, the juicy-potato utility, and samples of FunnySwitch and ShadowPad.\r\n5. FunnySwitch\r\nAmong the files signed with the Zealot Digital certificate, we discovered two samples of malware containing a previously\r\nunknown backdoor. We have called it FunnySwitch, based on the name of the library and one of the key classes. The\r\nbackdoor is written in .NET and can send system information as well as run arbitrary JScript code, with support for six\r\ndifferent connection types, including the ability to accept incoming connections. One of its distinguishing features is the\r\nability to act as message relay between different copies of the backdoor and a C2 server.\r\n5.1 Unpacking\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 18 of 39\n\nThe attack in question starts with the SFX archive x32.exe\n(2063fae36db936de23eb728bcf3f8a5572f83645786c2a0a5529c71d8447a9af).\nFigure 38. Contents of the archive x32.exe\nThe archive unpacks three files (1.vbs, n3.exe, and p3.exe) into the folder c:\\programdata, after which the extracted VBS\nscript runs both executables.\nThe files n3.exe and p3.exe are identical and inject shellcode into the process explorer.exe. The only difference between\nthem is the final bytes of the shellcode they inject, which contain the XML configuration. In one case, the proxy server\n168.106.1[.]1 is specified there in addition:\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\nA subdomain of kasprsky[.]info, db311secsd.kasprsky[.]info, is the C2 domain. Interestingly, several of its other subdomains\nare mentioned in an FBI report. It dates to May 21, 2020, and warns of attacks on organizations linked to COVID-19\nresearch.\nThe job of the shellcode is to launch and execute a method from the .NET assembly located immediately after its code. To\ndo so, it gets a reference to the ICorRuntimeHost interface, which it uses to run CLR and create an AppDomain object. The\ncontents of the assembly are loaded into the newly created domain. Reflection is used to run the static method\nFunny.Core.Run(xml_config), to which the XML configuration is passed.\nFigure 39. Calling a method from the .NET assembly\nThe assembly is the library Funny.dll with obfuscation by ConfuserEx.\n5.2 Funny.dll\nThe backdoor starts by parsing the configuration. Its root element may contain the following fields:\nDebug is the flag for enabling debug logging\nGroup is an arbitrary string sent together with system information.\nPassword is the key used to encrypt messages.\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\nPage 19 of 39\n\nID identifies the relay (if not present in the configuration, the GUID is used instead).\r\nStartTime, EndTime, and WeekDays restrict the times and days when the backdoor may function\r\nThe \u003cConfig\u003e element may contain an arbitrary number of elements describing various types of connectors:\r\nTcpConnector and TcpBindConnector are classes responsible for connecting over TCP as client and server.\r\nThey have two parameters in common: address and port (by default, 38001). TcpConnector also has the\r\nparameter interval, which indicates how long to wait before trying to reconnect.\r\nHttpConnector and HttpBindConnector are HTTP client with support for proxy and HTTP server.\r\nSupported client parameters: url – address to connect to, interval – same as at TcpConnector, proxy and\r\ncred – proxy server address and credentials. Server parameters: url – list of prefixes on which it will run and\r\ntimeout – client timeout.\r\nThe standard classes HttpWebRequest and HttpListener from .NET Framework are used for client and server\r\nimplementations. Both HTTP and HTTPS are supported: if no SSL certificate is configured for the port on which the\r\nserver is running, it will be launched with CN = Environment.MachineName + \".local.domain\" . The client, in turn,\r\nignores certificate validation.\r\nRPCConnector and RPCBindConnector are classes that allow setting up a connection via a Named Pipe. They take a\r\nsingle parameter, name , which is the name of the connection.\r\nTcpBindConnector and HttpBindConnector support simultaneous connections for multiple clients.\r\nFor the network connectors to work, the backdoor adds an allow rule to Windows Firewall with the name \"Core Networking\r\n― IPv4\" for its executable module.\r\nFigure 40. Code for adding Windows Firewall rules\r\nJust like with Crosswalk, there are multiple levels of the protocol: in this case, transport, network, and application.\r\n5.2.1 Transport protocols\r\n1. TCP\r\nTCP supports three types of messages: PingMessage (0x1), PongMessage (0x2), and DataMessage (0x3). The first\r\ntwo monitor the connection and are relevant only at the TcpConnector/TcpBindConnector level. DataMessage\r\ncontains network-level data.\r\nMessages consist of a signature (4 bytes), encrypted header (16 bytes), and optional data.\r\nThe signature is three random bytes followed by their sum with modulo 256. Incoming messages with an invalid\r\nsignature are discarded.\r\nThe header contains the data size (4 bytes) and byte indicating the message type (0x1, 0x2, or 0x3).\r\nIt is encrypted with AES-256-CBC; the key and IV are taken from the MD5 of the key string. The backdoor uses this\r\nencryption method in other cases as well, which is why we refer to it as \"standard\" in the text that follows. The key\r\nstring in this case is \"tcp_encrypted\".\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 20 of 39\n\nFigure 41. Standard encryption in FunnySwitch\r\n2. HTTP with long polling\r\nThere are three types of requests: GET \"connect\", GET \"pull\", and POST \"push\". To start transferring data, the client\r\nmust connect by sending a GET request to a URL from the configuration and provide a special cookie value.\r\nThe cookie name is eight random characters. The value is an encrypted Base64 string containing the session GUID\r\nand operation name (\"connect\"). The string is encrypted in the standard way with the key \"http\".\r\nThe client then constantly sends GET requests with pull operations. In response, the server returns the relevant array\r\nof messages for the client or, if no new messages have arrived in the last 10 seconds, an empty response. Client–\r\nserver messages are periodically sent as an array as well, for which a POST request with push operation is used.\r\nFigure 42. FunnySwitch connect and pull requests\r\nThe special class MsgPack class, which implements a custom serialization protocol, unpacks the array and other\r\nprimitive types.\r\n3. RPC (Pipe)\r\nSimilar to TCP, except for the absence of connection monitoring.\r\n5.2.2 Network-level protocol\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 21 of 39\n\nFigure 43. Function for processing incoming network-level communications\r\nAll messages at this level are encrypted in the backdoor's standard way, with the key string \"commonkey\".\r\nMessages are an array of three or four elements:\r\nMessage type (\"hello_request\", \"hello_response\", \"message\", \"error\")\r\nSource serialized array\r\nDestination serialized array\r\nPayload (application-level data)\r\nThe MsgPack class is also used for serialization. The Source and Destination arrays contain the IDs of the relays through\r\nwhich the message has already passed and the IDs of the routers through it should be delivered to the recipient.\r\nThe bodies of hello_request and hello_response messages contain information about the sender's system. When one of these\r\nmessages is received, the relay saves data about the sender ID, used connector instance and system data. These message\r\ntypes are used to establish a direct connection between relays.\r\nMessages of the \"message\" type (ones that are not hello_request, hello_response, or error) can be passed via several relays.\r\nIf its Destination field contains only the ID of the current instance, it will be handled locally; if not, it will be sent to the next\r\nrelay in the list. For connecting to the next instance, it uses the connector that was saved when exchanging hello_request and\r\nhello_response messages.\r\nThe backdoor collects the following system information:\r\nValues of the registry keys ProductName and CSDVersion from HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\r\nWhether the OS is 32-bit or 64-bit\r\nList of IP addresses\r\nComputer name\r\nUsername and workgroup\r\nName of running module\r\nPID\r\nMAC addresses of network adapters\r\nValue of the Group attribute in the XML configuration\r\n5.2.3 Application-level protocol\r\nAt the application level, data is encrypted in the standard way using the value of the Password attribute from the\r\nconfiguration. If no such value exists, the key string is \"test\". Data is compressed with GZip prior to encryption.\r\nAfter decryption and decompression, the payload is an array (packed MsgPack) consisting of one or two elements: a string\r\nwith the name of a command and optional array of bytes (data for the command). These elements, in turn, contain another\r\nserialized array, which contains a message string ID (which will be used to send the result of the command) plus the data for\r\nthe command.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 22 of 39\n\n5.2.4 Supported commands\r\nCommand Description\r\ninvoke\r\nRun JScript code and get the result. Implementation was separated out into a JSCore .NET assembly,\r\nwhich is dynamically loaded from a Base64 constant defined in the main assembly.\r\nFigure 44. Loading the Funny.Eval class from the JSCore assembly\r\nCode execution is accomplished with classes from the Microsoft.JScript namespace.\r\nFigure 45. Code fragments from the Funny.Eval class\r\nconnect Takes an XML string with connector configuration and creates the corresponding object.\r\nupdate\r\nPacks a response containing the IDs of relays connected to the current copy, together with their system\r\ninformation.\r\nquery\r\nCollects the configuration of active connector instances other than the RPCConnector and\r\nRPCBindConnector classes.\r\nremove Removes the specified connector.\r\ncreateStream\r\nCreates a message queue with the indicated name. The queue connects with the sender of the\r\ncreateStream command.\r\ncloseStream Deletes the named message queue.\r\nsendStream Adds a message (byte array) to the queue with the specified name.\r\nThe result of execution of each command is returned to the sender via the invoke-response command.\r\n5.2.5 Unused code\r\nBy all appearances, the FunnySwitch backdoor is still under development, as shown by the incomplete state of message\r\nqueue functionality. Besides the commands described here already, the code contains the functions PullStream and\r\nSendStream, which are not used anywhere. The first extracts a message from the queue (by queue name), while the second\r\nsends its creator an arbitrary set of bytes with the stream-data command.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 23 of 39\n\nThe code also contains several unused classes: an implementation of the KCP protocol, limited-size queue SizeQueue, and\r\nstring serializer StreamString.\r\nFigure 46. Fragment of KCP class code\r\n5.2.6 FunnySwitch vs. Crosswalk\r\nBased on investigation of the two backdoors, we believe that they were written by the same developers. Several things point\r\nat common authorship:\r\nUse of multiple transport protocols\r\nSupport for specifying a proxy server\r\nIdentical configuration restrictions on time of day and days of the week\r\nImplementation of the KCP protocol\r\nImplemented (and disabled by default) logging of debug messages and errors\r\nFigure 47. Error logging in Crosswalk\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 24 of 39\n\nFigure 48. Message logging in FunnySwitch\r\n6. ShadowPad\r\nDuring the investigation we also discovered two samples containing ShadowPad malware.\r\nThe first of these is the SFX archive 20200926___Request for wedding reception.exe\r\n(03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4).\r\nFigure 49. Contents of the archive 20200926___Request for wedding reception.exe\r\nFor bait, it contains a Chinese-language Microsoft Word document with the text of a wedding banquet form.\r\nFigure 50. Bait file wedding.docx\r\nThe archive contents are unpacked to the folder c:\\programdata, from where (besides the bait file being opened) the payload\r\nlog.exe is launched.\r\nBoth the executable file and the DLL library are obfuscated with VMProtect, but we also found identical unprotected\r\nversions (as shown in the following screenshots).\r\nAn unpacked legitimate component of Bitdefender\r\n(386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) serves as log.exe. It dynamically loads the\r\nlibrary log.dll.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 25 of 39\n\nFigure 51. Loading log.dll in log.exe\r\nThe library, in turn, when loaded checks for whether the current module contains a certain set of bytes at offset 0x2775. If\r\nthe loading module meets its expectations, these bytes change to a call instruction for a DLL function. As a result, in log.exe\r\nright after log.dll loads, a call is made to the function sub_100010D0. The called function is not explicitly exported.\r\nFigure 52. Check and modification of executable module in log.dll\r\nA similar technique has been previously described by ESET in the context of Winnti attacks on universities in Hong Kong.\r\nShadowPad malware was used as the payload in these attacks.\r\nIn our case, the code run afterwards had been obfuscated with a new approach: all functions are split into separate\r\ninstructions that shuffle between each other. Jumps between instructions occur by means of calls to a special function\r\n(rel_jmp), which emulates the jmp command. The offset at which the jump occurs is written immediately after a call\r\ninstruction (see the following figure).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 26 of 39\n\nFigure 53. Structure of obfuscated code\r\nIn addition, to obfuscate the control flow in the code, conditional jumps that never run are included as well:\r\ncmp esp, 3181h\r\njb loc_1000BCA9\r\nThe obfuscated code is the loader for the subsequent shellcode, which is encrypted in the file log.dll.dat. After decryption,\r\nthe file is deleted and the shellcode is re-encrypted, saved in the registry, and run. When log.exe is launched subsequently,\r\nthe shellcode will be loaded from the registry.\r\nThe data is stored in a hive with a name resembling the following: (HKLM|HKCU)\\Software\\Classes\\CLSID\\{%8.8x-\r\n%4.4x-%4.4x-%8.8x%8.8x}, in key %8.8X. The values inserted in the formatting strings are generated based on the\r\nTimeDateStamp in the PE header of log.dll, and therefore are always identical for any given library copy. In our case, they\r\nequal {56a36bd2-5e2b-20b0-96f2cb9bb3f43475} and EB5D1182, respectively.\r\nThe payload is ShadowPad shellcode that has been obfuscated with the same rel_jmp and fake-jb techniques. The following\r\nstrings are contained in its encrypted configuration:\r\n6/30/2020 1:25:52 PM\r\nccc\r\n%ProgramData%\\\r\nmsdn.exe\r\nlog.dll\r\nlog.dll.dat\r\nWMNetworkSvc\r\nWMNetworkSvc\r\nWMNetworkSvc\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nWMSVC\r\n%ProgramFiles%\\Windows Media Player\\wmplayer.exe\r\n%windir%\\system32\\svchost.exe\r\n%windir%\\system32\\winlogon.exe\r\n%windir%\\explorer.exe\r\nTCP://cigy2jft92.kasprsky.info:443\r\nUDP://cigy2jft92.kasprsky.info:53\r\nSOCKS4\r\nSOCKS4\r\nSOCKS5\r\nSOCKS5\r\nThey include the likely data of module assembly (June 6, 2020), name of the service used by the malware to gain persistence\r\non the system (WMNetworkSvc), names of processes into which shellcode can be injected, and the C2 domain\r\ncigy2jft92.kasprsky[.]info.\r\nAs we wrote earlier, the other domain kasprsky[.]info has been used by attackers as a FunnySwitch C2 server. Investigation\r\nof subdomains and IP addresses yields another second-level domain, livehost[.]live, whose subdomain\r\nd89o0gm35t.livehost[.]live is indicated as a C2 server in one copy of Crosswalk\r\n(86100e3efa14a6805a33b2ed24234ac73e094c84cf4282426192607fb8810961). Moreover, all samples of these backdoors\r\nwere signed with the stolen Zealot Digital certificate and were likely used together as part of a single campaign.\r\nThis is not the only example of a connection between the Crosswalk and ShadowPad network infrastructures. Two\r\nCrosswalk C2 servers we found, 103.248.21[.]134 and 103.248.21[.]179, contained an SSL certificate with SHA-1 value of\r\nb1d749a8883ac9860c45986e2ffe370feb3d9ab6. The same certificate was noted at IP address 103.4.29[.]167, which via the\r\ndomain update.ilastname[.]com was used as a C2 server for another copy of ShadowPad\r\n(37be65842e3fc72a5ceccdc3d7784a96d3ca6c693d84ed99501f303637f9301a).\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 27 of 39\n\nFigure 54. Fragment of ShadowPad and PlugX infrastructure\r\n7. PlugX\r\nThe SSL certificate pointed us to another C2 server, with the domain ns.mircosoftbox[.]com.\r\nWe found that this C2 server is used by an interesting copy of the PlugX backdoor. Its core is typical of PlugX, being an\r\nSFX archive (ccdb8e0162796efe19128c0bac78478fd1ff2dc3382aed0c19b0f4bd99a31efc) that contains the library\r\nmapistub.dll, which loads as a legitimate executable.\r\nFigure 55. PlugX SFX archive\r\nBut mapistub.dll is only a downloader. Google Docs is used to store the payload: the library sends a request to export a\r\ncertain document in .txt format, decodes it into shellcode with Base64, and runs it.\r\nFigure 56. Loading and running shellcode in mapistub.dll\r\nThe shellcode has been obfuscated with junk instructions and inverted conditional jumps (combinations of jle/jg and the\r\nlike). Its job is to decrypt and run the next stage, which is responsible for reflective loading of the main PlugX component\r\nand passing the structure with the configuration to it.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 28 of 39\n\nFigure 57. Obfuscated shellcode from Google Docs\r\nThis process and what the similar sample does after that are described in more detail in a report from Dr.Web (QuickHeal\r\nshellcode and BackDoor.PlugX.28).\r\nBesides the C2 servers in the configuration file, 103.79.76[.]205 and ns.mircosoftbox[.]com, in our case the attackers also\r\nused a technique typical of PlugX for getting a C2 server at a specified URL. The C2 address is encoded in the page body\r\nbetween the DZKS and DZJS markers.\r\nAgain, the address of a Google Docs document is used as the URL.\r\nFigure 58. Document with encoded URL\r\nNote that the document is editable without logging in. But when we accessed it for the first time, it had the IP address\r\n107.174.45[.]134, which is related to the domain dc-d68d34331440.mircosoftbox[.]com and, apparently, had been put in\r\nplace by the attackers.\r\nA similar technique has been used by Winnti in the past: according to Trend Micro, an encoded C2 address was stored in\r\nGitHub repositories in 2017.\r\n7.1 Paranoid PlugX\r\nWe were able to detect an additional copy of PlugX that contained shellcode fully identical to that downloaded from Google\r\nDocs, except for the encrypted configuration.\r\nIt, too, is an SFX archive (94ea23e7f53cb9111dd61fe1a1cbb79b8bbabd2d37ed6bfa67ba2a437cfd5e92) but with different\r\nfiles inside.\r\nFigure 59. Contents of the SFX archive\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 29 of 39\n\nWhen unpacked, the archive runs the script 1.vbs, which in turn passes control to a.bat.\r\nFigure 60. Contents of a.bat\r\nThe main payload is in the file image.jpg, which is actually a specially crafted .NET assembly. The assembly launches with\r\nthe help of InstallUtil.exe from .NET Framework, enabling it to bypass application allowlist restrictions.\r\nFigure 61. Running shellcode in image.jpg\r\nThe purpose of image.jpg is to run the same PlugX shellcode with the help of CreateThread.\r\nIts configuration contains two C2 servers: update.upgradsource[.]com and ns.upgradsource[.]com.\r\nThe domain upgradsource[.]com is mentioned in a Unit42 report on a group of similar samples named \"Paranoid PlugX.\"\r\nThey received this name due to the presence of a script for wiping traces of malware from the system. Comparing the\r\nsample we found to those described in that report, we conclude with strong confidence that it belongs to the same group.\r\nAmong other reasons, the structure of the .NET Wrapper module in image.jpg, and much of the cleanup script a.bat, is\r\nnearly identical.\r\nAccording to Unit42, the main targets of Paranoid PlugX attacks were gaming companies—which are known to be a typical\r\narea of interest for Winnti. Investigation of the network infrastructure provides yet another piece of confirmation of the\r\nrelationship between Paranoid PlugX and Winnti.\r\nAs of late 2017, update.upgradsource[.]com resolved to the IP address 121.170.185[.]183. Later, update.byeserver[.]com and\r\nupdate.serverbye[.]com resolved to this address as well. The second-level domains byeserver[.]com and serverbye[.]com, in\r\nturn, are listed by FireEye in its report on APT41.\r\n8. Conclusion\r\nWinnti has an extensive arsenal of malware, as can be seen from the group's attacks. Winnti uses both widely available tools\r\n(Metasploit, Cobalt Strike, PlugX) and custom-developed ones, which are constantly increasing in number. By May 2020,\r\nthe group had started to use its new backdoor, FunnySwitch, which possess unusual message relay functionality.\r\nOne distinguishing trait of the group's backdoors is support for multiple transport protocols for connecting to C2 servers,\r\nwhich complicates efforts to detect malicious traffic. Malicious files of varying resemblance are used to install the payload,\r\nfrom primitive RAR and SFX-RAR files to reuse of malware from other groups and multistage threats with vulnerability\r\nexploits and non-trivial shellcode loaders. But the payload may be one and the same in all these cases. Most likely, the\r\nchoice is dictated by the precision (or lack thereof) of an attack: unique infection chains and highly attractive bait are held\r\nback for targeted attacks.\r\nWinnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect\r\ninformation security, making them a tempting target. Attacks on software developers are especially dangerous for the risk\r\nthey pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection\r\nand investigation of breaches, companies can avoid becoming victims of such a scenario.\r\n9. PT products detection names\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 30 of 39\n\n9.1 PT Sandbox\r\nTrojan-Dropper.Win32.Higaisa.a\r\nBackdoor.Win32.CobaltStrike.a\r\nTrojan-Dropper.Win32.Winnti.a\r\nTrojan-Dropper.Win32.Winnti.b\r\nTrojan-Dropper.Win32.Shadowpad.a\r\nBackdoor.Win32.Shadowpad.c\r\nBackdoor.Win32.FunnySwitch.a\r\n9.2 PT Network Attack Discovery\r\nREMOTE [PTsecurity] Crosswalk\r\nsid: 10006001;10006002;10006003;10006004;\r\nSHELL [PTsecurity] Metasploit/Meterpreter\r\nsid: 10003751;10003753;10003754;10003755;10006172;10002588;\r\nREMOTE [PTsecurity] Cobalt Strike Beacon Observed\r\nsid: 10000748;10005757;\r\nREMOTE [PTsecurity] Cobalt Strike (jquery profile)\r\nsid:10005754;\r\nREMOTE [PTsecurity] FunnySwitch\r\nsid: 11004815;1004814;11004813;11004812;\r\nSPYWARE [PTsecurity] ShadowPad\r\nsid: 10005851;10005852;10005854;\r\nREMOTE [PTsecurity] PlugX\r\nsid: 10001390;10001391;10002946;10004422;10004426;10004472;10004473;10004515;10004532;10005968;\r\n10. Applications\r\n10.1 Known names of files from which PL shellcode may be loaded\r\nC_99401.NLS\r\nDriverStatics.ax\r\nDrtmAuth005.bin\r\nDrtmAuth13.bin\r\nFINTCACHE.DAT\r\nSEService.dat\r\nTheme.re\r\nWspTst.xsl\r\ncbdhsvcs.bin\r\nchrome_proxy.dll\r\nconfig.ini\r\nlocalsvc.ax\r\nlog.txt\r\nmsdsm.tlb\r\nnormnfa.nls\r\nnormnfw.nls\r\nservices.bin\r\nsoundsvc.sys\r\nstoresync.dat\r\nstoresyncsvc.ini\r\nsvchosl.bin\r\nsvchost.bin\r\nwbemcomn64.sys\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 31 of 39\n\nwbemcomna.dat\r\nwinness.exe.config\r\nwinupdate.txt\r\n10.2 IOCs\r\nFile indicators\r\nLNK file attacks\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81 9b638f77634f535e52527d43ad850133788bfb0c c657e04141252e\r\n0deb252a5048c3371358618750813e947458c77e651c729b9d51363f3d16b583 f50b624ba6eb9d3947f22cf7f95a6f70b7c463d3 a140420e12b68c\r\n8e6945ae06dd849b9db0c2983bca82de1dddbf79afb371aa88da71c19c44c996 5b8e644acc097f7123172d96a3a45bd398661064 93ffd591948223\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5 d500cec0ce5358751f3371b69a4a9bc402df8af4 45278d4ad4e0f4\r\nbcfff6c0d72a8041a37fe3cc5c0233ac4ef8c3b7c3c6bca70d2fcfaed4c5325e 1a33f41d054a2ed2d395b19852583daddd056bb4 177e37ec8d07d6\r\n35a1ff5b9ad3f46222861818e3bb8a2323e20605d15d4fe395e1d16f48189530 0a462e8e3b153e249507b1652d9f6180463e7027 17548fb49ef598\r\nbeaa2c8dcf9fbf70358a8cf71b2acee95146dba79ba37943a939a2145b83b32e acf5f997a16937072a2a72f1ba7704f9703ea27c e5809996b6126a\r\ndca8fcb7879cf4718de0ee61a88425fca9dfa9883be187bae3534076f835a54d db6333f84538a21466e5ffe3c7102e0543cec167 d53daa634260ed\r\n4733d1204b06dc95178e83834af61934a423534e1d4edd402b37e226f0f2727f dba010496a7be2e5de1f923ffdfc19bf345b650b 9776f04d9c254a\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6 281c1b196cd992906d8583e64011dc28d9c52e3c 4a4a223893c67b\r\nd4df4b58ee241e276ea03235445c04d1a28e48ec8b6e2599a56f6c4b8af3269b 7b6b01e9f726ab0b5f94cd68687d4787008cd7f5 4dcd2e0287e029\r\nd064f675765f54ee80392fcfb5d136cd2407d06d0ea8cd7d8632d1a2b24c0439 8b8b1219581555f2d9747b289d57c3e0e274fd07 260eae2912475e\r\n32705d3d9f7058e688b471e896dce505b3c6543218be28bbac85f6abbc09b791 289b5017f5ee8c915f755b1c7eefffbfb3d2d799 28bfed8776c078\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b 0f1f2431ecccb980f7d93b9af52139d0d508510f 997ab0b59d865c\r\n4e5e3762c850536aac6add3a5ac66f54cbd15c37bd8fc72d3ade9dd5e17f420b 21a5bcd916bc61585cfe1d5656240237e24157b9 07254dbd369ba1\r\n2d182910dade1237f1dd398d1e7af0d6eca3a74a6614089a3af671486420fb2b 0261490fb7f88cc3e9db6aa3fd185d03d7646864 f6886709564630\r\nShellcode injectors\r\nPayload: Crosswalk\r\n0046df35f66a3b076d9206412be2f1f7ea4641d96574e7b58578c0c0995d1feb b73fcfc423d1bdb4649440689ff4894639b3bd0e 9697d60b744a14b\r\n325430384d642ab2a902fb0e268e85808b6cbf87506ccdc314e116e7d1b8239e 0f2a5bbe03c5b3422609b78ca90fb7f06bfd966b eee464e5ded3f4e3\r\n9e27f110fc824d8b85855538c3320e8ea436e82737d686fcecb512b6f872e172 4481c4b0cf2207099c7b5979a6e81a2923d6c698 254ace03b179c65\r\nbec68bcaa80bb00274ef7066ddc8de1b289fb5f8b8e8573f3a961664f41da9d7 cc24843afd627ced74a1d713328078a23db81e54 914151fa49be06a\r\n3454d87b2ce0eab44c07774c7b56318710f9a63626d6d2aaf898922178bf2792 e6cd7a9f5b421b80b50e5809c35732c427c6b6d8 fbfeecea5a8c752c\r\n1e29e07b404836c82cd9b75e44a3169195a335dc494ba27f744f6605666c26aa a1e0ce3c384945fdde841d91d069505879587217 d19c5c55733244f\r\n3a9bbf4ee872904e729466aa50d570b43451b0945a41b5d9d114f8c24683c21e 5d1bada317d596f3dec5b86e4e42639b2f5f71ac 6d967f275beb385\r\nfaca607b43551044fda3c799ce7e9ce61004100544eeb196734972303f57f2ae 159a5ca55d7c62d0167740f8f5310e18e03a8fd3 4518f25c6307ef6\r\n86100e3efa14a6805a33b2ed24234ac73e094c84cf4282426192607fb8810961 604c5f42eeb015016b35ec1c9019812afc400f5b 7078450715c1030\r\nPayload: Metasploit\r\n0ad8ee3fe6d45626b28c0051c4c4f83358a03096ad06fc7135621293e95c75ae e8fcd7ca491bffc4838bf9eb6a7aec3f7e4acdc2 a752d48a4433eb2\r\n75d573d1e788590195012a1965cfcaa911c566aee88331b7718ddc638028c175 ca66a779a5b720e5f73e91561bd3434db691e13b 2867ca5c273fbb1\r\n8c962ddbb515e73ecfc5df9db35a54c8c9d15713a04425298f2d89308e2a47bf ce1cb0050662e541e72a24c6a969fa7b51084a60 2555677876b50a\r\nfb23c7fc2e5e8ae33942734c453961da9ed4659368d19180a8f1ecb3b9b8e853 d03a5b322f3748c9019ca24dd1943507d591165e 9a026082cb80cdb\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 32 of 39\n\n012d8d787c6e7a5f3dbe1e9cce7c5da166537a819221e210ef4d108f1a0a24b3 d913285f75a3a1a4f2a6e0f66bfda8efc71fc669 d8ff9eb55823717\r\n420dc77afe28003f14dfe6c09fbf8194ead8a6e8222b6ab126e7ee9bf4b63fd4 ebafff5ff0517ea5c2c783ab7d0cffded468bf4f c024b658471a27e\r\na02258fcb3694893b900f10f0f9bb1d0d522ed098b1cc8eab59f2f70209b3a0b 9bdd1af6fc74a8a3c2ff0e3bf1378ff290cdb35e bb4155a5add9446\r\nf54cf6d9a5d77a89c4a2d47b02736d746764319e02ad224019db8de78842334a 8413380c19f348ef08051b2d6d8b39598bb05f68 cdddd08982ca2dd\r\nSelf-contained PL shellcode loaders\r\nPayload: Crosswalk\r\n5841a4302fcbd63f66fc2afd41f8671744454aaa7e1ed834e935bfdb007a9a83 3d0b40b2a6fc691f702237ba5682335e7e74e649 a8bb1d69fb8a9d3\r\ne0b675302efc8c94e94b400a67bc627889bfdebb4f4dffdd68fdbc61d4cd03ae 4db6e492a9ef89e116f4da19f97d69cb82e08661 2dc960eb4691a14\r\ne398290469966aff01a9e138d45c4655790d7a641950e675785d0a2ab93e7d28 1e494e1cf8df105d95d0e0bb4879223030c48a0c 42a5908ff9b65d3\r\n8add31b6a2828e0d0a5b3ac225f6063f2c67c56036ff3f5099a9ee446459012a 5c11f70345d984391d041b604adfe5bfb5134755 5e3ef894b490d1c\r\na4b2a737badef32831cbf05bfaa65b5121ddb41463177f4ac0dbc354b3b451d4 8c549d16dc97072f16e4a3114fbd7d47f8bc9726 1bc1df4b946e83f\r\n2fdef9d8896705f468f66eb8c20e5892d161c1d98ab5962aa231326546e25056 7b465b1e0d7be4d84e06a115fd55b97207de768c 221db0f664ea781\r\nPayload: Metasploit\r\na7df8143a36638de40233b141919d767678b45bf5467e948a637eaafb2820550 be39c3022218ccb3abcfc6c906359b76571f4241 dc758b9ecca41f7f\r\n283302c43466bdc6524a1e58a0ff9cc223ab8f540a1b0248d1fcffe81b87d5d6 b2bb31ea3b4abaf3f3edbff405e23f2ce442dfe0 3839d37a6a7a29a\r\nb447a7bb633f682058d4b9df5caabbe8c794f087b80bf598d6741a255e925078 3c523a969cc4c273ae27fef32630701516b08873 63584677683b5fb\r\n01c8cc07a83ffd7ac9ee008685eb360c9934919e86847c50c8843807b9d9c196 37ec3d5be7b535a8a31001815ab275a489e302f5 d92db6b734b1db3\r\n21dd261e5fe46b86833cd69b299ae5ee5f24da3d4e87de509eddda4d2f63d591 11e86ee44e7c3592c97f7191746e170b62f724bb c8f1aff87d12e0e5\r\nPayload: Cobalt Strike BEACON\r\nba03feb351825029426e84c2f74e314f27b56714a082759650a455dfb1a946eb 8890155c88c690faaf900d1e63998756809273d0 cbccba5f774642c\r\n06210a1f9bc48128e050df0884f9759e4d202bd103aa78e6b6eb3cec1a58cdb5 a0128edc037a91ce127291edd9d950e7661dd764 64071aaa193ab1\r\n0d6a5183b903b1013367b9a319f21a7a3b7798d9565a0deee52951f62a708227 2d35c342d8fc6f5d018937491e246da2ab293d43 b8b43c4c4207b1\r\n1bd0f0fbd7df99c41e057f6d6c7107812ef1370609ad215a92227ca79ce6df70 7dcb0d7300aa54ef77eb3347e6204b31d4b9c6db 4922247f9b8334\r\n29233eab65960c2da4962e343a3adab768673012d074db35ebc2abe2142ee73c 1d3dc9bb7acfe8416ac5ab51f24b6648b91eb305 cb682ec885f353b\r\n79fbb45d0041933dce16325b87b969db12b7a8dedc918929615104835badc80f b13d58f1d24cf5e10a7013f4aeac22e974c74315 407990337eac65\r\n8f0538a18c944e2a98f1415d5528a0dab4367cd8689f598ab2da266c36403252 483c49349d29e11e0d195864e372a210ce5ce856 7e8ebe133a530ea\r\n025e053e329f7e5e930cc5aa8492a76e6bc61d5769aa614ec66088943bf77596 e63646f0089ce3a224d68029eecff72ef0259609 f9fa912e498f20c\r\nd30dd7d82059dc34e72c3131dd7ea87f427cabe7225bbf59aa69e01cd761a1fe 8be2fccba22fdca0e453855c7428e709186f3e0d c839ae523f04e78\r\n81ab37ae3abce3feabdefde6a008dec322e0168ce4f0456ee737135025399400 98d6dffb7e51170a02546eeb07c80f2592d10293 5ed49962d13dcd\r\nb55812f35735e4fb601575072f1b314508b2dafdcb65aa6c1245a2e1f9d80bdd 6986b924c58aa90a9e413d9942c25a1419d9aa0e f88416bc9ffcb63\r\nfc5c9c93781fbbac25d185ec8f920170503ec1eddfc623d2285a05d05d5552dc 0902e3c41fb8e0dffc322e6a562f04588b7522a3 6817b7a5d1542e\r\nd879b6cac6026a5418df4bf15296890507dbaec5abe56dafda54266975488cf2 11c987cdafec8ea02a77a03d4c979f743138b39a b02057f05f57f3a\r\n6e7052562db5f23c2740e9d094aae2316f77866b366eb4ef59c157e112172206 7fd0d64f54a54aabd04136e4111e2d8a22884324 dda83ca52a9d9db\r\n9afb78e9be08041f849563c4fd2777a373ffc76c3eccd638b1f6f846b847b968 2b47e9c8946536decba6066f9a57a85f143465c5 482d1c1e2044b0\r\n8b515bf88b3f7ac77861fdea61f82fb0c941bc5569922cadca254a79a744ae99 e46490394ddc66548067ba540d13fb3cf363c596 2a189598113d43\r\nf91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c 0b83939510bd31939c91370c53fab25aa286ba08 5909983db4d902\r\n3d38dfd588fc98de099201fe9f52feb29bb401fc623d6fe03eb8f0c959ffc731 af76d1d293e3e8fe7ad428ca6fe47e68c858587b 284dcb880e68d6\r\n6a10027dd99f124cd9d2682b6e7b0841d070607ea22a446f3c40c0b9f9725bed f2751dbfe822907ecb69b83e461b48183a485355 0d69dae8f83f09b\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 33 of 39\n\n71a965d54c4b60f7ae4a5e46394bfca013d06e888ec64f06d5ec3d8a21eccb55 4b51a8233991d4255fc05d9bbfc242f779b1d31d 5e61778a1e6606\r\n5347c5bbfaec8877c3b909ff80cda82f505c3ef6384a9ecf040c821fc7829736 1530993376416274d04907ff6369a3012694bfa9 62d6fb0f33d0411\r\nde648c21b4fae290855fdf0cd63d9e6807ced0577bdcf5ff50147ba44bf30251 3a0c2aee518b7c003e5eb8aa7094d536b8bf1a94 dbd6a052331365\r\n7ed5cbeb6c732aa492762381033ff06d0c29f1c731530d4d27704822141a074a 2d0bb1fc0213e4fca5c3b485caaf964dd2da7981 05e1247ff02d50a\r\ne886caba3fea000a7de8948c4de0f9b5857f0baef6cf905a2c53641dbbc0277c 6b92e6d594fd6e26f9e910f10f388c43017303b2 48bda0c5e53b6d\r\nExternal PL shellcode loaders\r\n0041b28d1f076e196af761a536aa800ebe2fcaea9084a8e17d2a43c43765efdd 0cb8ed29268ec9848ff1c7f25f28b620271e61c9 13171147762009\r\n0756216ea3fea5b394e2fa86e90a75f05c3da2b4b47d61110559bd28f51da8e6 7a1c5e1799bdeebb01527f54a7fd89d0b720dea7 53e2c1eb6b87e9\r\n34aeaa89aab983318ed8f6da32556faf3057a92dc045fac1f960f3aaad3a1ba1 a42e6dc7f248794e91e4ec251c2c96164215b7be f02a87562ffdd7a\r\n40101054d18eb50b65c2ce32b00352d2486008f67c63baec5ef93cac9d5c81ed 11d7145b85fea84aed35c60857560a66dbff5a27 e5271b41cf32892\r\n4665280d4b34c5388edeb51a6d5e808d2942c364017a42d3f1fac186b21eb571 09a3fb96edbd5e143ba3b579cb2c09d0dd9469eb da220930ac3e45\r\n46f03ddf74c47960a3731de18f123b2110153ed668f9bf6ed3badd7fd099ccb6 90c104dadb5c21b4fca644b37f7043fef7e72d2b 71b250a873a070\r\n4f2d8c437d32dc075074f01d10698f6d4dfc4d4bd8a595dabaa2519c6a025c8e e629fda195636d99ac587b354b5c6fc228d65d81 8b2e72f2b13c63a\r\n655c21fc31967282d8517b3c845f775cd0a80595f90c5c85b6027110532a1cf9 5fa5593b52cfc866c51f55e9a56b1adcc9db01d1 318b3661ec5929\r\n8f8ee8d2bc6c559a0a09ce3958727dee2f30880c615b2788d757917ca55d43ef b769c9c708f59be0a0d68ddf3076c9d9037b6c27 1d6def7a4bed4a8\r\n8fb8134bf40ad6bddd60ea77b78c30dab72c736bf29172f89d03505b80c3ae8d 9a17591711383d96f7cc421a71d5d394e322189a 7af8c2055a608c9\r\n9bf32bf4a4bc1d13bddaa6402595ad76d2d9fcc91a988313f13ed990ccb1c4c1 68ae7f3d2cb22c70232a35ed59f6fed70fe0f3be fb2ac5049bdee8d\r\n9c3280bc1ebc239de86523a7046b45e9bb7ce7a40a869dda6ea92fcee727366a cf90d0b4ac09dc97f675fb3cfbc8eba89db211e8 bb6b9a60c3b406\r\nbfe2673b02c54be9093cff8fd564b630109175c608f07d94e4a2ac65028a6eae 59c4f47b1135f21a8814c8a838277f4cfa46f2e5 fcceb7a3bc3b0c4\r\nc93999f7622caf63cbcfb26966ff11719a4e26bca7d90a843461f44a3c982a30 0a8fbc71a936d2e7f2830fae3d57a2f1e8e43266 36fe1e0db5e74ed\r\nd0686f44fb7e77ce0f68cc91c4cef12dbd691bb99b0b7be77103b7b17eec3753 0b09ac7691cb9b8b7b5a2e453984bc75edbc8aeb b5605f71d18cc25\r\nd6a05e20da5012c0cfc491b0044f7fded9322f5bbc664092c4b481709c3472e0 735e97688a70d24d922cf9a3951c5e23a91cbcb1 4a89eb933fa87d8\r\ne7f5a30d4bf7915cc97374e0f6a29573d4640961166b5c9b942030e8c10949d8 c224763846f8f61442e893cb8e9070ce67be5dc8 63c1b74c829ee3\r\ne935699b31707ecf9e006940f31f09514688cb45e078a66724603ee7fadf84db 5ba9f7cd51e8eac88f870e340c8262683d92563d 99b86e64d76d21\r\nf36a0b99973a837d5e4d542edd739df7cac10e207be538d47a106c4edf7cff54 fde9357e8d6a3336dbd82d2e22dbc0772640f63f 0133bd3f267887\r\nf69c6e8fe1188a461bfe249ba7afefbd7a787fcd0777c008f9580f6976118898 d3d4c7cf257f9fe97bdf31a4b0e3f66726fb1b6f 3d09dee9bc20abf\r\nfad80dc36a59d1cc67f3c4f5deb2650ca7f5abac43858bf38b46f60d6bb4b196 119b92462a91f9cc8b24dfbd84fb88ef47ecab97 247c48b8758a9e\r\n0187d3fae2dfc1629e766d5df38bdabf5effcb4746befceb1aaf283e9fe063a1 648594c25aebf3865c35ce6057e36b42e9e3be31 dbc30db0ed5ba1\r\n45d175f3c1cb6067f60ea90661524124102f872830a78968f46187d6bc28f70d 418fab494383e2ae0d94900344853cc0bc6d5385 337171764c99b7\r\nca0f235b67506ed5882fe4b520fd007f59c0970a115a61105a560b502745ac6a 1c265ed6b5875a619a427db1663f48fe7db01d88 2a3e63fdbcbbad9\r\nabac7a72b425ff38f8a7d8b66178da519525dc2137ca8904b42301fb46a8983e d9b692d84bdc134f90b54ac2a30f6832d70e730b 211db7515faa09a\r\n645b14df1bd5e294ec194784bc2bd13e0b65dac33897c9b63ad9ed35ec6df3a8 6d3643bfdd1bd85cfdfe4b05eaf2939bbf4b22f0 359f5615dcf2f75\r\n6b4b9cf828f419298cd7fda95db28c53fc53627124224d87d2ad060185767957 59208d32dd7440bbe4142882b8ad1ac033f08918 bae0fc6f570ca12\r\n7fd19347519ec15ab8dbce66722b28a917b87ad034282ef90851e1b994463644 c4467556640ad45fb8e56d1fb95c93e57b209924 086186c935a68e\r\n8308e54055b45eb63dc6c4c6a4112310a45dec041c1be7deb55bec548617136f c44934f47c98c7cde7ba5978ca315a5e9099d0c8 cf13bdefb622fc9\r\nadf52650ce698e17d5ff130bc975a82b47c6c175ad929083d757ec0fe7c4b205 bed84d4ef7bd8c5fb683eab51d849c891328b4d4 08393f7d6e0ee2b\r\nfb707094673a48408f9ba5240019cb502b9367fb380bb1734e0243e90b9399c3 e452227d134fe14df3ca35cd2abf7f1e922aa5d6 d761c07911138e\r\n4da733bbf7d585ee5b5a58c0ad77047ce640a4512a84502ad5ae9240ee2fcdb0 ff362a3d5d873f8fd0f7c2f150582dab9251cf2c 5eab890242e8b8\r\nbef3f87c6582813e23b0c8c8db9ca9ed65bc802445187378f4e62a7246133ae2 27e4115041c059dce22322e0242002353ab14814 6d33db967323d8\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 34 of 39\n\nb83534071bbcacc175449faadbb1d6b0852fe58521da0fefd5398a4a9b1fb884 26ca2262f31dcc1fd6ad56f1f371a363163ba7f2 d12013fb90a608\r\nadf52650ce698e17d5ff130bc975a82b47c6c175ad929083d757ec0fe7c4b205 bed84d4ef7bd8c5fb683eab51d849c891328b4d4 08393f7d6e0ee2b\r\ne4df8634f5f231fae264684e63b3e0c6497b98dd24ba1b0c6f85c156d33a079c e3e7b719fa1bb3fd12bb82592f85c3e4c3b1d7fa 03275b5b1f9d11b\r\nafb5e3f05d2eedf6e0e7447a34ce6fd135a72dad11660cf21bec4178d0edc15b c67ad0bb292ed20dbe9ba980e71d223249632252 38857fb40e06554\r\n1968f29b67920fc59e54eba7852a32f20ecbf3f09481c09ddbee1dedc37f296e b49679280a2c5b01d0126fc835cc29e4fdc5900d 468c5c3f46299c6\r\nbe70b599e8d7272e8debf49e6bf6e5d8d9f1965812f387a9f1e75aa34788a7c7 88282f8c93d61fd0caaec8807448e96f90101901 db394163c7e6e5\r\nPL shellcode: Metasploit\r\nf6085075e906a93a9696d9911577d16e2b5a92bc6b7c514d62992c14d5999205 4a0b8e9a56876c11c667b9ce77b371d2c6d07891 8849cf257c38304\r\nPL shellcode: Cobalt Strike Beacon\r\n43fe07f9adeb32b20e21048e9bb41d01e6b3559d98088ac8cd8ab0fad766b885 30dee2118fc28bb0b2804275c92daf58236824e5 2a2a50ec29f741fa\r\n6867f3d853de5dfe8adbd761576c29ad853611d8d1c7fdd15b07125fd05321f8 7420afe3c0c91442fac0c6df5dd1cfedd76503de 69b9d1fc0edb0a6\r\n0c6c6ba92661c119168a5486faa1af94673bd4d770c13c2b49d7a0651f798857 cb552c22718ca9eaf16792c1ecc583c09f1f19e1 b67ff211420c9f56\r\nbe7ba33fcb2a19bb2d1fe746f49c39fb1b8bd5d9e46d5b6610f8a2ad3f60b248 7849dcf58fbb930a1327635e13e9970d4bdc7121 9a478e85f1aed62\r\nd1a548b9ad6b4468ee3c5f6e1aaaa515021255fb13e45ff34fbff5ad88bf4de2 93404b4005e7ab0e8c9282ced20c16820378792b eff6e2a93e60fe01\r\n9ad808caa0b6a60a584566f3c172280617e36699326e7425356795b221af41dc f3093ae9f6633449c1d4f35804d1166dcbe09ece abb6e606a5fd22a\r\neb9c850b1e8d8842eb900fa78135b518fb69da49c72304b5b3b4b6f4fa639e57 6c34f4f29cb3d8cc8f55a707d255de50caa67e8f b80d303171db4a\r\ne10046b86fe821d8208cb0a6824080ea6cd47a92d4f6e22ce7f5c4c0d9605e4b 1cc16e3a6185b790875e3f00b68ec87feddcf93f cd43240098f60c5\r\na783edae435c6fdf55e937b3246b454ed3b85583184b6ffc1b2faba75c9165cf aed326228551a4736012c1921d3be7079541c29e 07377cf8abcabcf4\r\nCHM file attack\r\nb6685eb069bdfeec54c9ac349b6f26fb8ecf7a27f8dfd8fcdb09983c94aed869 db190af369fdc654af39a54c44f37d5e5712fda8 06f945c39870743\r\n5d549155b1a5a9c49497cf34ca0d6d4ca19c06c9996464386fc0ed696bf355a2 7dabbd292f8bb8b600439a9c1b2fa69eeecbcb88 46d3773e0e306b8\r\n02f5cb58a57d807c365edf8df5635263f428b099a38dff7fe7f4436b84efbe71 9c921a278ba4647269b45a5716b47ee47b6de24f e8c21f8f50bc572\r\n3c8049bd7d2c285acc0685d55b73e4339d4d0a755acffad697d5a6806d95bb28 201eac040aa2693042efa7539a88e2676dcf89af e93bdab9e64bcce\r\nfcbd7ab82939b7e0aff38f48a1797ac2efdb3c01c326a2dcf828a500015e0e83 8a503147831499778b2d50f8337677c249c99846 21aa8aa3a92ebca\r\n3c6d304c050607a9b945b9c7e80805fc5d54ced16f3d27aaa42fce6434c92472 1e75cfd3db2cc4b0091e271a7533b828632f399c 951c5f08eef4ef8a\r\n4d3ad3ff281a144d9a0a8ae5680f13e201ce1a6ba70e53a74510f0e41ae6a9e6 9c1d4db37c2d72ac9761dd342feb8a31bc636d6d b22b232381ea46\r\nFunnySwitch\r\n23dfce597a6afef4a1fffd0e7cf89eba31f964f3eabcec1545317efeb25082ed 6dd15c03ffd3762a20b0f51faf31724d5dbf1466 2b0c692d9eafed5\r\n2063fae36db936de23eb728bcf3f8a5572f83645786c2a0a5529c71d8447a9af c1e31f72adba9d5e2801e6766a24eb8d37807e9d 7e1948326ff96a1\r\nfbc56623dd4cdfdc917a9bb0fbe00fa213c656069c7094fe90ba2c355f580670 69b961af528eac458942dc1787f32dc432a328d9 2902f54dbd1f143\r\nfb0fdd18922977263f78becdedddab7a03c8de16a5431c7b4602e5be13110fa3 6e3d0537cd52965e52b06b984155191c41fe0a18 30684061b51971\r\nb45baac2ae9c5fdfbf56131451962826a95d56f641af8ca1b74738c2eb939a76 4f0402e2638831d6259a366cf605eadb8c7fd478 5fcf6562217dd1b\r\nff0527ea2f8545c86b8dfdef624362ed9e6c09d3f8589f873b1e08a895ef9635 ed8cc92b5a04620b01fcc4365e8f2ffe0c49eb30 f5b3106f2ff44bf8\r\n931ea6a2fc0d5b4c5c3cf2cba596a97eaa805981414c9cda4b26c8c47bf914df ebb08480d3d94d6d3a8d85894d297db996d57b4f b6953b1d1c7877\r\n568298593d406bd49de42688365fdc16f4a5841198583527a35f6a7d518a6b0e 425e6c8e89f45a8fe57a27d1eacdc850b2286099 bbeca57f7993a34\r\nShadowPad\r\n03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4 147529e1a8b00a62fa2371600988b17487260448 a26d2c6f7df4b74\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 35 of 39\n\n5a151aa75fbfc144cb48595a86e7b0ae0ad18d2630192773ff688ae1f42989b7 ea43dbef69af12404549bc45fda756bfefcb3d88 493698b1d7acfbf\r\n3b70be53fd7421d77f14041046f7484862e63a33ec4b82590d032804b1565d0d ebcb044373550b787553a9b9cd297f4b8c330cd3 652c44a6b5d09b\r\nae000f5cef11468dde774696423ca0186b46e55781a4232f22760a0bfbfb04f0 ee4744c4e74aa9933f3a5c340d9b739f8399b7f2 4001d217c9a77d\r\n5f1a21940be9f78a5782879ad54600bd67bfcd4d32085db7a3e8a88292db26cc f6f6f352fa58d587c644953e4fd1552278827e14 52c28bdb6b1fc4d\r\ne93a9e59ee2c1a18cee75eedcbe968ed552d5c62ec6546c8a1c1f1ae2019844e 1a654b4191a3196353801d37a1de21535eb7a41c eb763c30f69c4f4\r\n1f64194a4e4babe3f176666ffd8ee0d76d856825c19bfcd783aec1bacb74fd05 801b756019c075ef6a20c8219157fe8f92deebc1 791f92ce878c832\r\n531e54c055838f281d19fed674dbc339c13e21c71b6641c23d8333f6277f28c0 6966687463365f08cfb25fd2c47c6e9a27af22b0 4ad23aae3409c3\r\na1fa8cad75c5d999f1b0678fa611009572abf03dd5a836f8f2604108b503b6d2 c1af22e0d0585f6c6a2deab22a784717ee33f36d 882a60c3173e25\r\n37be65842e3fc72a5ceccdc3d7784a96d3ca6c693d84ed99501f303637f9301a 05a2b848965d77fa154ca24fa438b8e5390c21f5 e542c6fabe80af6\r\nPlugX\r\n94ea23e7f53cb9111dd61fe1a1cbb79b8bbabd2d37ed6bfa67ba2a437cfd5e92 14c1e3dd30ef1e22e6ebadd65fb883d3e0354d47 329ecc81b222a79\r\nac5b4378a907949c4edd2b2ca7734173875527e9e8d5b6d69af5aea4b8ed3a69 2293a7510101ccfd83db4bd6429db2f9d406859a d55e9a302203c88\r\ne54b7d31a8dd0fbab1fa81081e54b0b9b07634c13934adaf08b23d2b6a84b89a c40acafac6c1c3ba1d1cf5497bfaf5f682f9884a a7542a2dc4dd52b\r\nb59a37f408fcfb8b8e7e001e875629998a570f4a5f652bcbb533ab4d30f243f7 d1cf03da461f81822287465be5942931ac29737d d3ef032a6724278\r\nccdb8e0162796efe19128c0bac78478fd1ff2dc3382aed0c19b0f4bd99a31efc 22bac40e845ec6551396b77e6257f50634993883 7affcfb9857cc14d\r\n4dad1e908604c2faa4ad9d9ef3dcebc3a163e97398d41e5e398788fe8da2305b 7cbaa1757bafa3a6be0793b959feac1ea73d88ff f749aa99a08fdc73\r\n4a89a4d9fa22f42c6d3e51cf8dca0881e34763fe0448b783599bfc00984fd2ee bd31d8bad119b9da702889b44854b054f15e2f47 4489d5077c5d239\r\n18a14cec1abcb9c02c1094271d89f428dec1896924a949ed760d38cd0dea7217 a2e88dfb93c23ba7cd38a820b2e64f14192079c2 8d6737d573ef70b\r\nNetwork Indicators\r\nLNK file attacks\r\nwww.comcleanner[.]info\r\n45.76.6[.]149\r\nhttp://zeplin.atwebpages[.]com/inter.php\r\nhttp://goodhk.azurewebsites[.]net/inter.php\r\nhttp://sixindent.epizy[.]com/inter.php\r\nShellcode injectors\r\n6q4qp9trwi.dnslookup[.]services\r\nd89o0gm34t.livehost[.]live\r\nd89o0gm35t.livehost[.]live\r\n168.106.1[.]1\r\n149.28.152[.]196\r\n207.148.99[.]56\r\n149.28.84[.]98\r\nShellcode loaders\r\nexchange.dumb1[.]com\r\nmicrosoftbooks.dynamic-dns[.]net\r\nmicrosoftdocs.dns05[.]com\r\nns.microsoftdocs.dns05[.]com\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 36 of 39\n\nns1.dns-dropbox[.]com\r\nns2.dns-dropbox[.]com\r\nns1.microsoftsonline[.]net\r\nns2.microsoftsonline[.]net\r\nns3.mlcrosoft[.]site\r\nonenote.dns05[.]com\r\nservice.dns22[.]ml\r\nupdate.facebookdocs[.]com\r\n104.224.169[.]214\r\n107.182.24[.]70\r\n107.182.24[.]70\r\n149.248.8[.]134\r\n149.28.23[.]32\r\n176.122.162[.]149\r\n45.76.75[.]219\r\n66.42.103[.]222\r\n66.42.107[.]133\r\n66.42.48[.]186\r\n66.98.126[.]203\r\nFunnySwitch\r\n7hln9yr3y6.symantecupd[.]com\r\ndb311secsd.kasprsky[.]info\r\ndoc.goog1eweb[.]com\r\nShadowPad\r\ncigy2jft92.kasprsky[.]info\r\nupdate.ilastname[.]com\r\nPlugX\r\nns.mircosoftbox[.]com\r\nns.upgradsource[.]com\r\nupdate.upgradsource[.]com\r\n103.79.76[.]205\r\n107.174.45[.]134\r\n10.3 MITRE\r\nID Name Description\r\nReconnaissance\r\nT1593.001\r\nSearch Open Websites/Domains: Social\r\nMedia\r\nWinnti uses a Twitter account to get game-related\r\ninformation\r\nT1594 Search Victim-Owned Websites\r\nWinnti finds the site of a gaming company and uses\r\ninformation from it to create bait\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 37 of 39\n\nID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nWinnti purchases domain names that resemble those\r\nof legitimate services, including the victim's site\r\nT1583.006 Acquire Infrastructure: Web Services\r\nWinnti can use GitHub and Google Docs for C2\r\nupdates\r\nT1587.001 Develop Capabilities: Malware Winnti uses self-developed malware in its attacks\r\nT1587.003\r\nDevelop Capabilities: Digital\r\nCertificates\r\nWinnti creates self-signed certificates for use in\r\nHTTPS C2 traffic\r\nT1588.001 Obtain Capabilities: Malware Winnti uses PlugX in its attacks\r\nT1588.002 Obtain Capabilities: Tool\r\nWinnti uses Metasploit and Cobalt Strike in its\r\nattacks\r\nT1588.003\r\nObtain Capabilities: Code Signing\r\nCertificates\r\nWinnti steals code signing certificates from\r\ncompromised organizations\r\nT1588.005 Obtain Capabilities: Exploits\r\nWinnti uses a public exploit for remote code\r\nexecution (RCE) by means of a CHM file\r\nInitial Access\r\nT1566.001 Phishing: Spearphishing Attachment\r\nWinnti sends phishing messages with malicious\r\nattachments\r\nT1566.002 Phishing: Spearphishing Link Winnti sends phishing messages with malicious links\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command Shell\r\nWinnti uses cmd.exe and .bat files to run commands\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nWinnti uses VBS files to pass control to subsequent\r\nmalware stages\r\nT1059.007\r\nCommand and Scripting Interpreter:\r\nJavaScript/JScript\r\nWinnti uses malicious JScript code in intermediate\r\nstages and for the payload\r\nT1203 Exploitation for Client Execution\r\nWinnti exploits RCE in a CHM file by means of an\r\nActiveX object\r\nT1106 Native API\r\nWinnti uses various WinAPI functions to run\r\nmalicious shellcode in the current process or to inject\r\nit into another process\r\nT1204.002 User Execution: Malicious File\r\nWinnti tries to make users run malicious .lnk, .chm,\r\nand .exe files\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nWinnti persists by means of a registry run key or a\r\nstartup folder\r\nT1543.003\r\nCreate or Modify System Process:\r\nWindows Service\r\nWinnti persists on infected machines by creating new\r\nservices\r\nT1053.005 Scheduled Task/Job: Scheduled Task Winnti creates a task with schtasks for persistence\r\nDefense evasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nTo store shellcode with the payload, Winnti uses a\r\ncustom PL format with encryption\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingWinnti uses legitimate utilities to load DLLs from\r\nShadowPad and PlugX\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 38 of 39\n\nID Name Description\r\nT1562.004\r\nImpair Defenses: Disable or Modify\r\nSystem Firewall\r\nFunnySwitch adds allow rules to Windows Firewall\r\nfor C2 connections\r\nT1070 Indicator Removal on Host\r\nParanoid PlugX deletes artifacts created during\r\ninfection from the file system and registry\r\nT1202 Indirect Command Execution Winnti uses intermediate VBS scripts to run .bat files\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nWinnti can use VMProtect or custom packers for its\r\nmalware\r\nT1055.002\r\nProcess Injection: Portable Executable\r\nInjection\r\nWinnti injects shellcode into the processes\r\nexplorer.exe, winlogon.exe, wmplayer.exe,\r\nsvchost.exe, and spoolsv.exe\r\nT1218.001\r\nSigned Binary Proxy Execution:\r\nCompiled HTML File\r\nWinnti uses CHM files containing malicious code\r\nT1218.004\r\nSigned Binary Proxy Execution:\r\nInstallUtil\r\nParanoid PlugX can use InstallUtil to run a malicious\r\n.NET assembly\r\nT1553.002 Subvert Trust Controls: Code Signing Winnti uses stolen certificates to sign its malware\r\nDiscovery\r\nT1082 System Information Discovery\r\nWinnti backdoors collect information about the\r\ncomputer name and OS version and whether it is 32-\r\nbit or 64-bit\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nWinnti backdoors collect information about the IP\r\nand MAC addresses of the infected machine\r\nT1033 System Owner/User Discovery\r\nWinnti backdoors collect information about the name\r\nof the current user\r\nCollection\r\nT1119 Automated Collection\r\nWinnti backdoors automatically collect information\r\nabout the infected machine\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nWinnti backdoors can use HTTP/HTTPS for C2\r\nconnections\r\nT1132.001 Data Encoding: Standard Encoding Winnti uses GZip for compressing FunnySwitch data\r\nT1001.003\r\nData Obfuscation: Protocol\r\nImpersonation\r\nWinnti uses FakeTLS in Crosswalk traffic\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nWinnti uses AES for encrypting traffic in its\r\nbackdoors\r\nT1008 Fallback Channels\r\nThe Winnti configuration supports indicating\r\nmultiple C2 servers of various types\r\nT1095 Non-Application Layer Protocol\r\nWinnti backdoors can use TCP and UDP for C2\r\nconnections\r\nT1090.001 Proxy: Internal Proxy\r\nFunnySwitch can establish C2 connections via a\r\npeer-to-peer network of infected hosts\r\nT1090.002 Proxy: External Proxy\r\nWinnti backdoors support C2 connections via an\r\nexternal HTTP/SOCKS proxy\r\nT1102.001 Web Service: Dead Drop Resolver\r\nWinnti uses Google Docs for updating the C2 address\r\nin PlugX\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2\r\nPage 39 of 39\n\nstarts from 0x60 bytes of the end of the executable. the header, followed by The header always starts the (encrypted) shellcode. with the PL signature. The data length is The other header data stored at offset is used for decryption: –0x24 from a 32-\nbyte key is located at offset 0x28 and a 12-byte nonce for the ChaCha20 algorithm is at offset 0x50.\n Page 9 of 39", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2" ], "report_names": [ "#id5-2" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434183, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7bd9bba0b95f2c2137b5ec5d595667c77804378.pdf", "text": "https://archive.orkl.eu/a7bd9bba0b95f2c2137b5ec5d595667c77804378.txt", "img": "https://archive.orkl.eu/a7bd9bba0b95f2c2137b5ec5d595667c77804378.jpg" } }