DEPLOYLOG

A years-long cyberespionage attack campaign carried out by the Chinese-backed APT (Advanced Persistent Threat) group Winnti (also known as APT41, BARIUM and Blackfly) has been brought to light. In a report by researchers, the entire infection chain of the hackers has been revealed to the public. During the threatening operation, Winnti is believed to have been able to obtain vast amounts of confidential information, including blueprints, proprietary data, diagrams and much more. The victims are companies from North America, Europe, and Asia, operating in the technology and manufacturing industries.

According to the report, the final step of the multi-stage infection chain deploys a custom rootkit dubbed WINNKIT. However, the task of deploying, establishing, and activating the rootkit is delegated to a separate malware threat named DEPLOYLOG. It is dropped on the breached systems as a 64-bit DLL file 'dbghelp.dll,' a generic and commonly used name, at C:\Windows\System32\WindowsPowerShell\v1.0 in an attempt to pass as a legitimate file.

The first major task of DEPLOYLOG is to deploy the WINNKIT rootkit. It does so by extracting the final payload from a CLFS log file and decrypting the acquired content. Next, DEPLOYLOG will stop the AMD K8 processor kernel driver service amdk8. This fact could point towards WINNTI being focused on compromising AMD-related machines and also having prior knowledge about the internal infrastructure of their victims' machines

The second task of DEPLOYLOG is to act as a user-mode agent on the system. It will try to act as a bridge between the now deployed rootkit and the Command-and-Control (C2, C&C) servers of the operation. The malware will communicate with the C2 servers and obtain data that will then be intercepted by the threatening driver of WINNKIT. Through the agent, the Winnti attackers can load new modules on the infected system, open a CMD shell, drop credential-collecting payload and more.