ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Winnti

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Winnti

NamesWinnti
BleDoor
RbDoor
RibDoor
CategoryMalware
TypeReconnaissance, Rootkit, Backdoor, Downloader, Tunneling, Info stealer, Exfiltration
Description(Kaspersky) So what does PlusDLL control? It turns out that the target functionality is implemented in different files. Each file provides a specific remote control feature and is downloaded from the attackers’ server every time the system starts up. These files are not saved on disk or in the registry but are loaded directly into the memory.

At the very start of the operation, after launching the driver, PlusDLL collects information about the infected system. A unique identifier for the infected computer is generated based on information about the hard drive and the network adapter’s MAC address, e.g., TKVFP-XZTTL-KXFWH-RBJLF-FXWJR. The attackers are interested primarily in the computer’s name, the program which loaded the malicious library, as well as information about remote desktop sessions (session name, client name, user name and session time). All of this data is collected in a buffer, which is then compressed and sent to the attackers’ control center.

In reply to this initial message from the bot, the control center sends the list of available plugins. Plugins are DLL libraries that provide specific remote control functions. Upon receiving the list of plugins, the bot downloads them, allocates them in the memory and passes control to these libraries.

Also see HighNoon, which seems to be a variant of Winnti.
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf>
<https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf>
<https://github.com/TKCERT/winnti-suricata-lua>
<https://github.com/TKCERT/winnti-nmap-script>
<https://github.com/TKCERT/winnti-detector>
<https://www.protectwise.com/blog/winnti-evolution-going-open-source.html>
<http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/>
<http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/>
<https://securelist.com/games-are-over/70991/>
<https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf>
<https://blogs.blackberry.com/en/2020/04/decade-of-the-rats>
MITRE ATT&CK<https://attack.mitre.org/software/S0141/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti>
<https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti>
<https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:winnti>

Last change to this tool card: 14 May 2020

Download this tool card in JSON format

All groups using tool Winnti

ChangedNameCountryObserved

APT groups

 APT 41China2012-Aug 2024 HOTX
 Axiom, Group 72China2008-2008/2014 
 BariumChina2016-Nov 2017X
 Earth LuscaChina2019-Sep 2024 HOT 
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-Late 2022 
 LeadChina2016 
 Operation HarvestChina2016 
 PassCVChina2016 
 RedHotel, TAG-22China2021 
 TAG-28China2021 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Winnti Group, Wicked PandaChina2010-Mar 2021 

12 groups listed (12 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]