Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[1][2][3][4]. The Linux variant is tracked separately under Winnti for Linux.[5]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
The Winnti for Windows HTTP/S C2 mode can make use of a local proxy.[3] |
| .002 | 代理: External Proxy |
The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.[3] |
||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[2] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.[2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Winnti for Windows can XOR encrypt C2 traffic.[3] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
The Winnti for Windows dropper can decrypt and decompresses a data blob.[3] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Winnti for Windows can add a service named |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.[3] |
| Enterprise | T1480 | .001 | 执行保护: Environmental Keying |
The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.[3] |
| Enterprise | T1083 | 文件和目录发现 |
Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.[3] |
|
| Enterprise | T1106 | 本机API |
Winnti for Windows can use Native API to create a new process and to start services.[3] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Winnti for Windows has the ability to encrypt and compress its payload.[3] |
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Winnti for Windows can use a variant of the sysprep UAC bypass.[3] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Winnti for Windows can delete the DLLs for its various components from a compromised host.[3] |
| .006 | 移除指标: Timestomp |
Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.[3] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
The Winnti for Windows installer loads a DLL using rundll32.[2][3] |
| Enterprise | T1082 | 系统信息发现 |
Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.[3] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Winnti for Windows can run as a service using svchost.exe.[3] |
| Enterprise | T1105 | 输入工具传输 |
The Winnti for Windows dropper can place malicious payloads on targeted systems.[3] |
|
| Enterprise | T1057 | 进程发现 |
Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.[3] |
|
| Enterprise | T1095 | 非应用层协议 |
Winnti for Windows can communicate using custom TCP.[3] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0143 | Aquatic Panda |
Aquatic Panda used Winnti for Windows for persistent access to Windows victims.[6] |
| G0044 | Winnti Group |
References
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
- Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.