Winnti Group Uses Backdoor for Linux

Delaware, USA – May 20, 2019 – Researchers from Chronicles, Alphabet’s cyber-security division, discovered and analyzed the Linux version of the tool used by the Chinese state-sponsored group. The Winnti group has attracted a lot of media attention in recent months, thanks to the report on the unsuccessful attack on the German drugmaker Bayer and the sophisticated operation ‘Shadowhammer’, the supply-chain attack on at least seven organizations to spread backdoors via legitimate software. Chronicles’ experts analyzed the toolkit of the APT group and discovered a Linux variant of Winnti backdoor associated with the attack on a Vietnam gaming company in 2015. The malware consists of two components: a rootkit to gain persistence on the attacked system and the backdoor itself. Code analysis showed that the Linux malware is similar to the Windows version of the backdoor and has the same method of communications with command-and-control infrastructure. But apart from the similarity, there is also a significant difference in functionality: the Linux version of the backdoor has the secondary communication channel, which allows attackers to connect to the trojan without using a C&C server, which allows the use of malware even after the server is disabled.

A recent Der Spiegel report shows another unsuccessful attack of the group. In 2016, the APT group planted the backdoor on Teamviewer company’s systems, but the security team quickly detected suspicious activity and cleaned the threat. Winnti group is often interested in stealing technical trade secrets and uses advanced techniques to achieve goals. You can find out more about the techniques used and the rules for their detection in the MITRE ATT&CK section in Threat Detection Marketplace: