Select Page

Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor.

Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate.


The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader (“svchast.exe”) and a backdoor called Crosswalk (“3t54dE3r.tmp”).

Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out system reconnaissance and receiving additional modules from an attacker-controlled server as shellcode.

While this modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims in 2020 — the researchers said the use of Crosswalk suggests the involvement of Winnti.

images from Hacker News