Experts told about Linux-variant of Winnti Trojan

Chronicle experts from Alphabet cybersecurity holding discovered Linux version on Winnie backdoor that is popular among Chinese hackers for many years.

Linux-version of a backdoor was discovered after a recent news that Chinese hackers that applied Winnti attacked Bayer (one of the world largest pharmaceutical companies).

Chronicle analysts conducted additional research on Winnti on VirusTotal and fond variant for Linu that was used in 2015 for attacks on Vietnamese gaming companies.

“Special tools for Linux from Chinese cybersecurity groups are seldom met, and this is a surprise. Historically such tools as HKdoor, Htran and Derusbi also had Linux-version – says Silas Cutler, leading Chronicle reverse-engineer.

Discovered malware composes of two parts: rootkit that hides malware on infected host, and backdoor itself.

Further analysis of malware found similarity of initial codes of Linux-version and classic Winnti 2.0 for Windows that in details described experts from “Kaspersky laboratory” and Novetta company.

In addition, Windows– and Linux variations use similar methods for communication with management servers.

Read also: “GRO packet of death” vulnerability is found in Linux kernel

Trojan uses ICMP, HTTP protocols and own realizations as TCP and UDR to get additional modules from the control center. As note specialists, cybercriminals also able to directly connect to infected system, if Winnti command servers will not be available. Final functions of malware applications are defined by a set of plugins that can vary depending on aim.

Libxselinux.so rootkit is responsible for concealing Winnti’s actions on the infected machine. Program is an altered variant of Azazel utility that is available on GitHub. Script assigns letter codes to the main functions of the malware and modifies their response to requests in order to prevent the anti-virus scanners from triggering.

Winnti developers added in Azazel Decrypt2 operator that is applied for decrypt configuration files of libxselinux.so module. Moreover, malware authors included in utility code unique ports’ and processes’ identifiers that are involved by Trojan. Further, these names are used while processing of commands from control center.

Additionally, recently discovered malware has spare way to communicate with operators that allows hackers communicate with a backdoor directly, avoiding C&C servers.

Researches note that though Linux-malware is seldom met in the arsenal of governmental hackers and earlier was noted that American and Russian hacking groups do not ignore other platforms and have malware for such cases.

“An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises”, — conclude Chronicle specialist.

Source: https://medium.com