In March 2024, the Cyber Emergency Center confirmed a new attack campaign dubbed “RevivalStone” orchestrated by the notorious Chinese-based threat actor group, Winnti Group. This campaign specifically targeted Japanese organizations across the manufacturing, materials, and energy sectors, employing a new variant of Winnti malware with enhanced capabilities. Drawing on insights presented at the Virus Bulletin Conference 2024 (VB2024) and the Threat Analyst Summit (TAS’24) in December 2024, this article dissects the entire scope of the RevivalStone campaign, explores the new features of the Winnti malware used, and outlines detection and countermeasure techniques to fortify defenses against such sophisticated cyber threats.

Winnti Group emerged around 2010 as a threat actor primarily targeting the gaming industry. Over time, its focus has broadened dramatically, and today the group is known for targeting a wide array of organizations involved in handling intellectual property, critical infrastructure, and sensitive information. Operating in parallel realms of cybercrime and espionage, Winnti Group is frequently associated with APT41, a sub-group believed to function as a private contractor on behalf of Chinese state interests. Its activities often align with national strategic objectives, making it a formidable adversary on the global stage.

Overview of the RevivalStone Campaign

The RevivalStone campaign represents a new phase in Winnti Group’s operations, marked by an expanded geographical reach and an evolution in its attack methodology. In this campaign, attackers exploited a SQL injection vulnerability in the ERP systems of target organizations to gain initial access. Once inside, they deployed a series of WebShells—using tools such as China Chopper, Behinder (IceScorpion), and sqlmap file uploaders—to establish a foothold. The WebShells not only facilitated lateral movement within compromised networks but also enabled the attackers to harvest credentials and install the latest variant of Winnti malware.

New Features of Winnti Malware

The new Winnti malware variant used in the RevivalStone campaign is engineered with advanced functionalities compared to its predecessors. Key enhancements include:

• Advanced Obfuscation Techniques:
  The malware employs sophisticated code obfuscation methods, including jump-based Control Flow Flattening (CFF) and string obfuscation using XOR and ChaCha20. These measures make reverse engineering significantly more challenging.
• DLL Hijacking and Rootkit Deployment:
  The malware manipulates system processes through DLL hijacking. For example, legitimate DLLs such as SessEnv.dll are replaced with malicious counterparts (e.g., TSMSISrv.dll), which then load the Winnti Loader (mresgui.dll). This loader is responsible for decrypting and deploying further malware components, including the Winnti RAT and Rootkit.
• Stealth and Persistence Mechanisms:
  To evade detection, the malware copies legitimate system libraries into the System32 folder under randomized names and uses dynamic deletion post-loading. It also registers a dummy NDIS protocol driver (“IPSecMiniPort”) via Windows registry modifications to secure its persistence and enable covert command and control (C2) communications.
• Encrypted Payload Delivery:
  The payload is stored in a DAT file that undergoes multiple layers of encryption (AES and ChaCha20) and requires specific device information (IP, MAC address, GUID) to generate decryption keys. This ensures that the payload is only activated on the targeted device.

Comparison with Previous Winnti Malware Campaigns

Historical Winnti campaigns, such as those documented in Operation CuckooBees, reveal that earlier variants were less sophisticated in terms of obfuscation and persistence. The new variant—likely referred to as Winnti v5.0 or “StoneV5” in internal nomenclature—shows significant enhancements in both encryption and evasion tactics. Notably, its use of a combination of AES and ChaCha20, along with its integration of advanced anti-analysis techniques, marks a clear evolution from earlier versions that primarily used simpler XOR-based encryption.

Analysis of the Attacker Group’s Motives

The RevivalStone campaign appears to be part of a broader effort by Winnti Group to expand its operational footprint beyond its traditional targets in Eastern Europe. By targeting key industries in Japan, the group aims to exploit vulnerabilities in organizations that are critical to the manufacturing, materials, and energy sectors. These sectors often form the backbone of national economies and are increasingly connected to global supply chains. Furthermore, the group’s tactics—ranging from SQL injection and phishing to the deployment of advanced malware—suggest an intention to not only gather intelligence but also to potentially facilitate disruptive cyber operations in support of geopolitical objectives.

Detection and Investigation Techniques

Organizations can identify signs of the RevivalStone campaign by monitoring for various indicators of compromise (IOCs) such as:

• Unusual WebShell Deployments:
  Look for unexpected files like China Chopper, Behinder, or sqlmap file uploaders on your web servers.
• Abnormal Network Traffic:
  Monitor for unusual network communications, particularly those involving encrypted payloads that do not match standard application behavior.
• Registry Changes:
  Investigate modifications to Windows registry keys, especially those related to dummy NDIS protocol drivers like “IPSecMiniPort”.
• Suspicious File Names:
  Check for randomized DLL file names in the System32 folder that follow patterns (e.g., an underscore followed by 5-9 alphanumeric characters).
• Memory Analysis:
  Utilize tools like Volatility and MemProcFS to detect anomalies in memory dumps, such as the presence of unloaded modules (e.g., “amonitor.sys”) indicative of malware activity.

10 Recommendations to Prevent Similar Attacks

1. Regularly Patch Vulnerabilities:
   Ensure that all software, including ERP systems and web servers, is updated to the latest security patches to prevent exploitation via vulnerabilities such as SQL injection.
2. Implement Strong Web Application Firewalls (WAF):
   Use WAFs to detect and block malicious inputs, such as SQL injection attempts that could lead to WebShell deployment.
3. Restrict Public Access to Critical Systems:
   Limit external access to internal management interfaces and critical servers to trusted networks only, reducing the attack surface.
4. Enhance Intrusion Detection and Prevention:
   Deploy advanced IDS/IPS solutions to monitor network traffic for signs of lateral movement and anomalous behavior consistent with malware propagation.
5. Conduct Regular Security Audits:
   Perform periodic audits of your network, applications, and servers to identify and remediate potential security gaps before attackers can exploit them.
6. Implement Multi-Factor Authentication (MFA):
   Strengthen access controls by requiring MFA for all remote and administrative access, making it more difficult for attackers to gain unauthorized entry.
7. Educate Employees on Phishing and Social Engineering:
   Train staff to recognize phishing attempts and suspicious emails that may be used to deliver initial access through spear-phishing campaigns.
8. Use Endpoint Protection Solutions:
   Deploy robust endpoint protection platforms that can detect and respond to malware infections and unauthorized changes to system files.
9. Monitor and Analyze Logs Continuously:
   Utilize SIEM systems to aggregate and analyze logs from various systems, enabling early detection of unusual activity or indicators of compromise.
10. Establish a Comprehensive Incident Response Plan:
    Develop and routinely test an incident response plan that includes procedures for containing, investigating, and remediating cyber attacks to minimize potential damage.

Conclusion

The RevivalStone campaign orchestrated by the Winnti Group marks a significant escalation in the sophistication and scope of cyberattacks targeting Japanese organizations. By leveraging advanced malware variants and exploiting vulnerabilities in critical systems, the attackers have demonstrated a keen understanding of both technical and operational tactics. This campaign not only underscores the evolving threat landscape but also serves as a stark reminder of the importance of robust cybersecurity measures.

Organizations must remain vigilant by adopting proactive security practices—such as regular patching, network segmentation, and employee training—to mitigate the risk of such attacks. By following the ten recommended best practices outlined above, businesses can significantly strengthen their defenses and reduce the likelihood of successful exploitation by threat actors like Winnti Group.

As cybersecurity professionals, it is our collective responsibility to continuously monitor emerging threats, share intelligence, and collaborate on strategies that ensure a resilient security posture in an increasingly interconnected world.