WinMM

WinMM is a full-featured, simple backdoor used by Naikon. ^[1]

ID: S0059

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1008		回退信道	WinMM is usually configured with primary and backup domains for C2 communications.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	WinMM uses HTTP for C2.^[1]
Enterprise	T1083		文件和目录发现	WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.^[1]
Enterprise	T1082		系统信息发现	WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.^[1]
Enterprise	T1033		系统所有者/用户发现	WinMM uses NetUser-GetInfo to identify that it is running under an "Admin" account on the local system.^[1]
Enterprise	T1057		进程发现	WinMM sets a WH_CBT Windows hook to collect information on process creation.^[1]

Groups That Use This Software

ID	Name	References
G0019	Naikon	^[1]^[2]

References

Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.