WINNKIT is a sophisticated and extremely evasive threat that has been discovered to be part of the arsenal of the Chinese-backed APT (Advanced Persistent Threat) group Winnti. The Winnti malware acted as the final payload in a multi-stage infection chain used in a cyberespionage campaign that continued for years. Winnti also tracked as APT41, Barium, and Blackfly managed to infiltrate the internal networks of targets spread across North America, Europe and Asia.
The hackers are believed to have obtained hundreds of gigabytes of confidential information, consisting of intellectual property and proprietary data, diagrams, blueprints and more. Details about the complete infection chain of the operation and the utilized threatening tools were revealed in a report published by Cybereason.
The WINNKIT threat takes the form of a driver equipped with rootkit capabilities. A testament to the effectiveness of its stealth and detection-evasion techniques is the fact that WINNKIT has managed to remain undetected for at least 3 years. To bypass the Driver Signature Enforcement (DSE) mechanism found on Windows systems running Windows Vista 64-bit and later, WINNKIT contains an expired BenQ digital signature.
After being initiated, WINNKIT hooks to the network communication and waits for custom commands from the threat actors. The incoming commands are relayed to the rootkit by the previous-stage malware known as DEPLOYLOG. By using a reflective loading injection, WINNKIT can inject corrupted modules into the legitimate svchost process, while evading detection. The activated modules provide a wide range of intrusive functions to the attackers. For example, one of them can enable Remote Desktop access to the compromised system. Other is capable of accessing the system command line. There also are dedicated modules for manipulating the file system, exfiltrating data and killing chosen processes on the targeted machine.