Apt 41

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control. (Microsoft) Barium begins its attacks by cultivating relationships with potential victims�particularly those working in Business Development or Human Resources�on various social media platforms. Once Barium has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant�notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred. Also see 'APT 41', which overlaps with Barium. (Microsoft) In the past few years, Lead�s victims have included: � Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics � Pharmaceutical companies � A company in the chemical industry � University faculty specializing in aeronautical engineering and research � A company involved in the design and manufacture of motor vehicles � A cybersecurity company focusing on protecting industrial control systems During these intrusions, Lead�s objective was to steal sensitive data, including research materials, process documents, and project plans. Lead also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, Lead�s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, Lead gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines. (CrowdStrike) 'Winnti Group, Blackfly, Wicked Panda' refers to the targeted intrusion operations of the actor publicly known as �Winnti,� whereas Wicked Spider represents this group�s financially-motivated criminal activity. Originally, Wicked Spider was observed exploiting a number of gaming companies and stealing code-signing certificates for use in other operations associated with the malware known as Winnti. Now, Winnti is commonly associated with the interests of the government of the People�s Republic of China (PRC). Wicked Spider has been observed targeting technology companies in Germany, Indonesia, the Russian Federation, South Korea, Sweden, Thailand, Turkey, the United States, and elsewhere. Notably, Wicked Spider has often targeted gaming companies for their certificates, which can be used in future PRC-based operations to sign malware. Ongoing analysis is still evaluating how these certificates are used � whether Wicked Spider hands the certificates off to other adversaries for use in future campaigns or stockpiles them for its own use. Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including 'APT 41', 'Axiom, Group 72', 'APT 17, Deputy Dog, Elderwood, Sneaky Panda', and 'Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon', are closely linked to or overlap with Winnti Group. (Trend Micro) The group behind the Winnti malware (which we will call the Winnti group for brevity) sprung up as a band of traditional cyber crooks, comprising black hats whose technical skills were employed to perpetrate financial fraud. Based on the use of domain names they registered, the group started out in the business of fake/rogue anti-virus products in 2007. In 2009, the Winnti group shifted to targeting gaming companies in South Korea using a self-named data- and file-stealing malware. The group, which was primarily motivated by profit, is noted for utilizing self-developed technically-proficient tools for their attacks. They once attacked a game server to illicitly farm in-game currency (�gaming gold�, which also has real-world value) and stole source codes of online game projects. The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier. The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications. The group has since earned infamy for being involved in malicious activities associated with targeted attacks, such as deploying spear-phishing campaigns and building a backdoor.