Axiom  (Back to overview)

aka: Winnti Group, Tailgater Team, Group 72, Group72, Tailgater, Ragebeast, Blackfly, Lead, Wicked Spider, APT17, APT 17, Dogfish, Deputy Dog, Wicked Panda, Barium

The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'


Associated Families
osx.winnti win.derusbi win.highnote win.shadowpad win.winnti

References
1 https://401trg.pw/an-update-on-winnti/
1 http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf
1 http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/
1 http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/
1 http://web.br.de/interaktiv/winnti/english/
http://williamshowalter.com/a-universal-windows-bootkit/
1 http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070
1 http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf
https://401trg.com/burning-umbrella/
1 https://401trg.pw/winnti-evolution-going-open-source/
https://attack.mitre.org/groups/G0044/
https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/
https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html
1 https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf
1 https://content.fireeye.com/api/pdfproxy?id=86840
1 https://content.fireeye.com/apt-41/rpt-apt41/
1 https://github.com/TKCERT/winnti-detector
1 https://github.com/TKCERT/winnti-nmap-script
1 https://github.com/TKCERT/winnti-suricata-lua
1 https://github.com/br-data/2019-winnti-analyse/
1 https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
1 https://securelist.com/games-are-over/70991/
1 https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
1 https://securelist.com/shadowpad-in-corporate-networks/81432/
https://securelist.com/winnti-faq-more-than-just-a-game/57585/
https://securelist.com/winnti-more-than-just-a-game/37029/
1 https://twitter.com/bkMSFT/status/1153994428949749761
https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/
1 https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/
https://www.cfr.org/interactive/cyber-operations/axiom
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/
https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004
https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341
https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/
1 https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
1 https://www.protectwise.com/blog/winnti-evolution-going-open-source.html
1 https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf
1 https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
1 https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf
https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

Credits: MISP Project