The Linux version of Winnti Malware found and works as backdoor to compromised the systems.
Last month, Winnti Malware was found on one of the world largest pharmaceutical company computer systems, which had been hit by Chinese hackers.
According to report by Novetta, there are four distinct components within the Winnti malware’s installation to execution cycle: a dropper, a service, an engine, and a worker. The installation that Novetta observed of Winnti on a victim’s machine requires multiple steps and depends on the dropper, service, and the loader component in order to accomplish the steps.
After a successful infection, the activation of Winnti on a victim’s machine requires multiple steps as well as coordination between the service, engine, and worker components. The complexity of the installation and activation processes is significant and more involved than typical malware installation and activation procedures. This additional complexity ultimately does not seem to serve a significant purpose other than to perhaps frustrate analysis by defenders.
What are the Objective of Winnti Malware?
According the security researchers, the main objective of the Winnti is to steal source code of online game projects as well as digital certificates of legitimate software vendors. Besides that, they are deeply interested in the set-up of network infrastructure (including production gaming servers) and new developments such as conceptual ideas, design and more.
Winnti Linux Version
According to Chronical Blog, the Kaspersky discovered the first stolen digital certificate, we didn’t realize that stealing the certificates and signing malware for upcoming attacks against other victims was the modus operandi of that group. In eighteen months, researchers manage to discover more than a dozen compromised digital certificates.
The Linux version of Winnti is comprised of two files: a main backdoor (libxselinux) and a library (libxselinux.so) used to hide it’s activity on an infected system.
As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins.
Winnti Windows Version
Kaspersky has published the report, they said in 2011, a Trojan was detected on a large number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server.
Some even suspected that the publisher itself was spying on its customers. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games.
The malicious DLL infected gamers’ computers running under either 32-bit or 64-bit operating systems. It could not start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge or consent in 64-bit environments, though no such accidental launches have been detected.
The DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave the cyber-criminals the ability to control the victim computer without the user’s knowledge.
The malicious module turned out to be the first Trojan for the 64-bit version of Microsoft Windows with valid digital signature that we have seen. We used to see similar cases before, but in all previous incidents we have seen digital signature abuse, there were only 32-bit applications.
Kaspersky discovered the first stolen digital certificate, we didn’t realize that stealing the certificates and signing malware for upcoming attacks against other victims was the modus operandi of that group. In eighteen months, researchers manage to discover more than a dozen compromised digital certificates.
At least 35 companies were infected by the Winnti malware at some time including Asia, Europe, USA regions.
Kaspersky said, the research revealed long-term oriented large scale cyber-espionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, the current hacking group has distinguishable features that make it stand out among others:
- Massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates.
- Usage of kernel level 64-bit signed rootkit.
- Abusing great variety of public Internet resources to store control commands for the malware in an encrypted form.
- Sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and Tibetan activists).
- Stealing source code and other intellectual property of software developers in online gaming industry.
The security research on Winnti is still ongoing.