Chronicle analysts conducted additional research on Winnti on VirusTotal and fond variant for Linu that was used in 2015 for attacks on Vietnamese gaming companies.
“Special tools for Linux from Chinese cybersecurity groups are seldom met, and this is a surprise. Historically such tools as HKdoor, Htran and Derusbi also had Linux-version – says Silas Cutler, leading Chronicle reverse-engineer.
Discovered malware composes of two parts: rootkit that hides malware on infected host, and backdoor itself.
Further analysis of malware found similarity of initial codes of Linux-version and classic Winnti 2.0 for Windows that in details described experts from “Kaspersky laboratory” and Novetta company.
In addition, Windows– and Linux variations use similar methods for communication with management servers.
Read also: “GRO packet of death” vulnerability is found in Linux kernel
Trojan uses ICMP, HTTP protocols and own realizations as TCP and UDR to get additional modules from the control center. As note specialists, cybercriminals also able to directly connect to infected system, if Winnti command servers will not be available. Final functions of malware applications are defined by a set of plugins that can vary depending on aim.
Libxselinux.so rootkit is responsible for concealing Winnti’s actions on the infected machine. Program is an altered variant of Azazel utility that is available on GitHub. Script assigns letter codes to the main functions of the malware and modifies their response to requests in order to prevent the anti-virus scanners from triggering.
Winnti developers added in Azazel Decrypt2 operator that is applied for decrypt configuration files of libxselinux.so module. Moreover, malware authors included in utility code unique ports’ and processes’ identifiers that are involved by Trojan. Further, these names are used while processing of commands from control center.
Additionally, recently discovered malware has spare way to communicate with operators that allows hackers communicate with a backdoor directly, avoiding C&C servers.
Researches note that though Linux-malware is seldom met in the arsenal of governmental hackers and earlier was noted that American and Russian hacking groups do not ignore other platforms and have malware for such cases.
“An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises”, — conclude Chronicle specialist.
Source: https://medium.com
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…