ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Winnti

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Winnti

NamesWinnti
BleDoor
RbDoor
RibDoor
CategoryMalware
TypeReconnaissance, Rootkit, Backdoor, Downloader, Tunneling, Info stealer, Exfiltration
Description(Kaspersky) So what does PlusDLL control? It turns out that the target functionality is implemented in different files. Each file provides a specific remote control feature and is downloaded from the attackers’ server every time the system starts up. These files are not saved on disk or in the registry but are loaded directly into the memory.

At the very start of the operation, after launching the driver, PlusDLL collects information about the infected system. A unique identifier for the infected computer is generated based on information about the hard drive and the network adapter’s MAC address, e.g., TKVFP-XZTTL-KXFWH-RBJLF-FXWJR. The attackers are interested primarily in the computer’s name, the program which loaded the malicious library, as well as information about remote desktop sessions (session name, client name, user name and session time). All of this data is collected in a buffer, which is then compressed and sent to the attackers’ control center.

In reply to this initial message from the bot, the control center sends the list of available plugins. Plugins are DLL libraries that provide specific remote control functions. Upon receiving the list of plugins, the bot downloads them, allocates them in the memory and passes control to these libraries.

Also see HighNoon, which seems to be a variant of Winnti.
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf>
<https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf>
<https://github.com/TKCERT/winnti-suricata-lua>
<https://github.com/TKCERT/winnti-nmap-script>
<https://github.com/TKCERT/winnti-detector>
<https://www.protectwise.com/blog/winnti-evolution-going-open-source.html>
<http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/>
<http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/>
<https://securelist.com/games-are-over/70991/>
<https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf>
<https://blogs.blackberry.com/en/2020/04/decade-of-the-rats>
MITRE ATT&CK<https://attack.mitre.org/software/S0141/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti>
<https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti>
<https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:winnti>

Last change to this tool card: 14 May 2020

Download this tool card in JSON format

All groups using tool Winnti

ChangedNameCountryObserved

APT groups

 APT 41China2012-Aug 2020 HOTX
 Axiom, Group 72China2008-2008/2014 
 BariumChina2016-Nov 2017X
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
 LeadChina2016 
 Operation DRBControlChina2019 
 PassCVChina2016 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Winnti Group, Blackfly, Wicked PandaChina2010-Feb 2020 

9 groups listed (9 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key