跳到主体内容

Winnti Group responsible for enhanced attack platform infecting organizations in South Korea, UK and Russia

2015年10月7日

Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer

Kaspersky Lab experts tracking the activity of theWinnti grouphave discovered an active threat based on a 2006 bootkit installer.  The threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit”, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.

The Winnti criminal organization is known for industrial cyberespionage campaigns targeting software companies, especially those in the gaming industry. Recently it has also been observed targeting pharmaceutical businesses.

“HDRoot” was discovered when an intriguing sample of malware sparked the interest of Kaspersky Lab’s Global Research and Analysis Team (GReAT) for the following reasons:

  • It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was  known to have abused to sign other tools;
  • The properties and output text of the executable were spoofed to make it look like a Microsoft’s Net Command net.exe, obviously to reduce the risk of system administrators exposing the program as hostile.

Taken together, this made the sample look suitably suspicious.  Further analysis showed that the HDRoot bootkit is a universal platform for a sustainable and persistent appearance in a system. It can be used to launch any other tool. The GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s ALYac. Winnti therefore used it to launch malware products on target machines in South Korea.

According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in South East Asia; with other targets in this region including organizations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in one in Russia, both of which have previously been targeted by the Winnti group.

“The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. That’s why we rarely see any complicated code encryption, because that would attract attention. The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher.” – said Dmitry Tarakanov, Senior Security Researcher in Kaspersky Lab’s GReAT team.

The development of the HDD Rootkit is likely to be the work of someone who went on to join the Winnti group when it was set up. Kaspersky Lab believes that Winnti was forming into a group in 2009, so didn’t yet exist in 2006. But there is a possibility that Winnti made use of third-party software.  Perhaps this utility and source code are available on the Chinese or other cybercriminal black market. The threat is still active. Since Kaspersky Lab started to add detections, the group behind the attacks has started to adapt them – in less than a month, a new modification was identified.

Kaspersky Lab’s products successfully block the malware and protect users against the threat.

Learn more about Chinese-language APT campaigns here.

To learn more about the Winnti Group’s attack platform, please read the blog post available at Securelist.com.

Winnti Group responsible for enhanced attack platform infecting organizations in South Korea, UK and Russia

Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻