Winnti

Description

(Kaspersky) So what does PlusDLL control? It turns out that the target functionality is implemented in different files. Each file provides a specific remote control feature and is downloaded from the attackers’ server every time the system starts up. These files are not saved on disk or in the registry but are loaded directly into the memory.

At the very start of the operation, after launching the driver, PlusDLL collects information about the infected system. A unique identifier for the infected computer is generated based on information about the hard drive and the network adapter’s MAC address, e.g., TKVFP-XZTTL-KXFWH-RBJLF-FXWJR. The attackers are interested primarily in the computer’s name, the program which loaded the malicious library, as well as information about remote desktop sessions (session name, client name, user name and session time). All of this data is collected in a buffer, which is then compressed and sent to the attackers’ control center.

In reply to this initial message from the bot, the control center sends the list of available plugins. Plugins are DLL libraries that provide specific remote control functions. Upon receiving the list of plugins, the bot downloads them, allocates them in the memory and passes control to these libraries.

Also see HighNoon, which seems to be a variant of Winnti.

Names

Name
Winnti
BleDoor
RbDoor
RibDoor

Category

Malware

Type

• Reconnaissance
• Rootkit
• Backdoor
• Downloader
• Tunneling
• Info stealer
• Exfiltration

Information

• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
• https://github.com/TKCERT/winnti-suricata-lua
• https://github.com/TKCERT/winnti-nmap-script
• https://github.com/TKCERT/winnti-detector
• https://www.protectwise.com/blog/winnti-evolution-going-open-source.html
• http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/
• http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/
• https://securelist.com/games-are-over/70991/
• https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
• https://blogs.blackberry.com/en/2020/04/decade-of-the-rats

Mitre Attack

• https://attack.mitre.org/software/S0141/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti
• https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti
• https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:winnti

Other Information

Uuid

9b25ce20-0707-4676-9b8e-b60a7d794bed

Last Card Change

2020-05-14