 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
Tool: Winnti| Names | Winnti BleDoor RbDoor RibDoor | |
| Category | Malware | |
| Type | Reconnaissance, Rootkit, Backdoor, Downloader, Tunneling, Info stealer, Exfiltration | |
| Description | (Kaspersky) So what does PlusDLL control? It turns out that the target functionality is implemented in different files. Each file provides a specific remote control feature and is downloaded from the attackers’ server every time the system starts up. These files are not saved on disk or in the registry but are loaded directly into the memory. At the very start of the operation, after launching the driver, PlusDLL collects information about the infected system. A unique identifier for the infected computer is generated based on information about the hard drive and the network adapter’s MAC address, e.g., TKVFP-XZTTL-KXFWH-RBJLF-FXWJR. The attackers are interested primarily in the computer’s name, the program which loaded the malicious library, as well as information about remote desktop sessions (session name, client name, user name and session time). All of this data is collected in a buffer, which is then compressed and sent to the attackers’ control center. In reply to this initial message from the bot, the control center sends the list of available plugins. Plugins are DLL libraries that provide specific remote control functions. Upon receiving the list of plugins, the bot downloads them, allocates them in the memory and passes control to these libraries. Also see HighNoon, which seems to be a variant of Winnti. | |
| Information | <https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf> <https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf> <https://github.com/TKCERT/winnti-suricata-lua> <https://github.com/TKCERT/winnti-nmap-script> <https://github.com/TKCERT/winnti-detector> <https://www.protectwise.com/blog/winnti-evolution-going-open-source.html> <http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/> <http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/> <https://securelist.com/games-are-over/70991/> <https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf> <https://blogs.blackberry.com/en/2020/04/decade-of-the-rats> | |
| MITRE ATT&CK | <https://attack.mitre.org/software/S0141/> | |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti> <https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti> <https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti> | |
| AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:winnti> | |
Last change to this tool card: 14 May 2020
Download this tool card in JSON format
| Changed | Name | Country | Observed | ||
APT groups | |||||
 | APT 41 |  | 2012-Aug 2024  |  | |
| Axiom, Group 72 | | 2008-2008/2014 | |||
| Barium | | 2016-Nov 2017 | | ||
| Earth Lusca | | 2019-Sep 2024 | ||
| Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon | | 2010-Late 2022 | |||
| Lead | | 2016 | |||
| Operation Harvest | | 2016 | |||
| PassCV | | 2016 | |||
| RedHotel, TAG-22 | | 2021 | |||
| TAG-28 | | 2021 | |||
| Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens | | 2010-Oct 2018 | | ||
| Winnti Group, Wicked Panda | | 2010-Mar 2021 | |||
12 groups listed (12 APT, 0 other, 0 unknown)
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |