DEPLOYLOG is the name of a malicious tool associated with the Winnti advanced persistent threat actor.

The Winnti group is also known by the name APT41 and is believed to be a Chinese state-sponsored threat actor, dealing in cyber espionage.

DEPLOYLOG is a new tool in the Winnti group's toolkit of malicious software. The tool was used in attacks tracked by security researchers working with Cyberreason.

The malware is able to abuse the CLFS or "common log file system" feature of the Windows operating system. The exploit is rarely seen and extracts data stored in the CLFS, then deploys a malicious WINNKIT rootkit driver that is also a custom tool used by the Winnti group and acts as a kernel.

DEPLOYLOG is used in conjunction with a number of other custom malicious tools in Winnti's arsenal, including Spyder - a backdoor tool, STASHLOG - a tool used to store malicious payloads inside the Windows CLFS, SPARKLOG and PRIVATELOG - two tools working in conjunction and finally WINNKIT - the malicious kernel.

DEPLOYLOG is a new tool added to Winnti's arsenal. A unique feature of the attack vector used in campaigns using DEPLOYLOG is the hackers' focus on abusing a legitimate Windows feature and storing their encrypted malicious payload in it.

The attacks using DEPLOYLOG are multi-step and involve complex processes, multi-stage batch files, side-loading malicious DLL files through legitimate Windows services, and manipulation of the Windows registry to compromise the victim system. DEPLOYLOG is just one of the several tools Winnti use in their attempts to plant the WINNKIT rootkit in the targeted system.

May 5, 2022