Higaisa or Winnti? How We Defined Backdoor Ownership

While monitoring information security threats in May 2020, Positive Technologies experts discovered several new samples of malware (malware). At first glance, they should have been attributed to the Higaisa group, but detailed analysis showed that they should be associated with the Winnti group (also known as APT41, according to FireEye).

Detailed monitoring also revealed many other instances of the APT41 group malware, including backdoors, droppers, loaders, and injectors. We were also able to find samples of a previously unknown backdoor (we called it FunnySwitch) with atypical peer-to-peer messaging functionality. Detailed report presented by link, and in this article we will tell you about how our research began.


The first attack that attracted the attention of experts was dated May 12, 2020.

The malicious file used in it is an archive named Project link and New copyright policy.rar (c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04). The archive contains a decoy document in PDF format (Zeplin Copyright Policy.pdf), as well as a folder All tort’s projects – Web lnks with two shortcuts:

  • Conversations – iOS – Swipe Icons – Zeplin.lnk,

  • Tokbox icon – Odds and Ends – iOS – Zeplin.lnk.

The structure of the malicious shortcuts is similar to sample 20200308-sitrep-48-covid-19.pdf.lnk, which distributed by the Higaisa group in March 2020.

The initial infection mechanism has not fundamentally changed – when you try to open any of the shortcuts, a command is executed that extracts a Base64-encoded CAB archive from the body of the LNK file, which is then unpacked into a temporary folder. Further actions are performed using the extracted JS script.

Script content 34fDFkfSD32.js
Script content 34fDFkfSD32.js

The main payload installed by the script is the shellcode named 3t54dE3r.tmp

On May 30, 2020, a new malicious object was identified – CV archiveColliers.rar (df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d) with two shortcuts:

  • Curriculum VitaeWANG LEI_Hong Kong Polytechnic University.pdf.lnk,

  • International English Language Testing System certificate.pdf.lnk.

Their structure completely repeated the samples from May 12. In this case, PDF documents containing a resume and an IELTS certificate were used as bait.

These attacks were studied in detail by our colleagues from Malwarebytes and Zscaler… Based on the similarity of the infection chains, the researchers assign them to the Higaisa group.

However, a detailed analysis of the shellcode that was used as a payload showed that its samples belong to the Crosswalk malware family. This malware appeared no later than 2017 and was first mentioned in the report FireEye on the activities of the APT41 (Winnti) group.

Fragment of FireEye report
Fragment of FireEye report
Shellcode snippet 3t54dE3r.tmp
Shellcode snippet 3t54dE3r.tmp

The study of the network infrastructure of the samples also allows us to find intersections with the previously known infrastructure APT41: an SSL certificate with SHA-1 b8cff709950cfa86665363d9553532db9922265c is found on the IP address of one of the C2 servers, which also occurs at the IP address 67.229.97[.]229 mentioned in the report CrowdStrike for 2018. Further study allows you to reach some domains from report Kaspersky from 2013.

All of this leads us to the conclusion that these LNK attacks were carried out by the Winnti group (APT41), which borrowed the shortcut technique from Higaisa.

Fragment of network infrastructure
Fragment of network infrastructure

Backdoor Crosswalk

Crosswalk is a modular shellcode backdoor. Its main component is responsible for establishing a connection to the control server, collecting and sending information about the system and has the functionality for installing and executing up to 20 additional modules received from the server in the form of shellcode.

The information collected includes:

  • operating time of the OS (uptime);

  • IP addresses of network adapters;

  • MAC address of one of the adapters;

  • version and bitness of the operating system;

  • Username;

  • computer name;

  • the name of the executable module;

  • PID of the process;

  • version and bit width of the shellcode.

Shellcode has both 32- and 64-bit modifications. Its versions are encoded with two numbers, among the ones we found – 1.0, 1.10, 1.21, 1.22, 1.25, 2.0.

For a more detailed analysis of one of the Crosswalk versions, see research VMWare CarbonBlack.

Loaders and injectors

Researching the network infrastructure and monitoring new Crosswalk samples led us to identify other malicious objects that contain the Crosswalk shellcode as their main load. All these objects can be roughly divided into two groups – local shellcode loaders and its injectors. In both groups, some of the samples were additionally obfuscated with VMProtect.

Shellcode injection code into a running process
Shellcode injection code into a running process

Injectors contain typical code that gets the SeDebugPrivilege right, finds the PID of the required process and injects the shellcode into it. Explorer.exe and winlogon.exe act as target processes in different instances.

The instances we have discovered contain one of three payload options:

  • Crosswalk,

  • Metasploit stager,

  • FunnySwitch (more on this backdoor in the full article).

The main function of the samples from the local shellcode loader group is to extract and execute shellcode in the current process. Among them, two subgroups can be distinguished, depending on the source of the shellcode: it can be located both in the original executable file and in an external file in the same directory.

Most downloaders start by checking the current year, which resembles the behavior of the LNK attack samples.

Bootloader main function code
Bootloader main function code


The Winnti group has in its arsenal a wide range of malware tools that it actively uses in its attacks. The group uses both massive tools such as Metasploit, Cobalt Strike, PlugX, and its own developments, the list of which is constantly growing. In particular, no later than May 2020, the group started using their new backdoor – FunnySwitch.

A distinctive feature of group backdoors is the support of several transport protocols for connecting to the C&C server, which makes it difficult to detect malicious traffic.

IN full report a more detailed analysis of malware samples detected by Positive Technologies experts is presented. The document also describes examples of attacks and techniques of the Winnti grouping.

Similar Posts

Leave a Reply