News

Experts told about Linux-variant of Winnti Trojan

Chronicle experts from Alphabet cybersecurity holding discovered Linux version on Winnie backdoor that is popular among Chinese hackers for many years.

Linux-version of a backdoor was discovered after a recent news that Chinese hackers that applied Winnti attacked Bayer (one of the world largest pharmaceutical companies).

Chronicle analysts conducted additional research on Winnti on VirusTotal and fond variant for Linu that was used in 2015 for attacks on Vietnamese gaming companies.

“Special tools for Linux from Chinese cybersecurity groups are seldom met, and this is a surprise. Historically such tools as HKdoor, Htran and Derusbi also had Linux-version – says Silas Cutler, leading Chronicle reverse-engineer.

Discovered malware composes of two parts: rootkit that hides malware on infected host, and backdoor itself.

Further analysis of malware found similarity of initial codes of Linux-version and classic Winnti 2.0 for Windows that in details described experts from “Kaspersky laboratory” and Novetta company.

In addition, Windows– and Linux variations use similar methods for communication with management servers.

Read also: “GRO packet of death” vulnerability is found in Linux kernel

Trojan uses ICMP, HTTP protocols and own realizations as TCP and UDR to get additional modules from the control center. As note specialists, cybercriminals also able to directly connect to infected system, if Winnti command servers will not be available. Final functions of malware applications are defined by a set of plugins that can vary depending on aim.

Libxselinux.so rootkit is responsible for concealing Winnti’s actions on the infected machine. Program is an altered variant of Azazel utility that is available on GitHub. Script assigns letter codes to the main functions of the malware and modifies their response to requests in order to prevent the anti-virus scanners from triggering.

Winnti developers added in Azazel Decrypt2 operator that is applied for decrypt configuration files of libxselinux.so module. Moreover, malware authors included in utility code unique ports’ and processes’ identifiers that are involved by Trojan. Further, these names are used while processing of commands from control center.

Additionally, recently discovered malware has spare way to communicate with operators that allows hackers communicate with a backdoor directly, avoiding C&C servers.

Researches note that though Linux-malware is seldom met in the arsenal of governmental hackers and earlier was noted that American and Russian hacking groups do not ignore other platforms and have malware for such cases.

“An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises”, — conclude Chronicle specialist.

Source: https://medium.com

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

20 hours ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

20 hours ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

20 hours ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

21 hours ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

1 day ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

1 day ago