SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.winnti (Back to overview)

Winnti

Actor(s): Winnti Umbrella

There is no description at this point.

References
2023-08-07Recorded FutureInsikt Group
@techreport{group:20230807:redhotel:ee4dd20, author = {Insikt Group}, title = {{RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale}}, date = {2023-08-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf}, language = {English}, urldate = {2023-08-09} } RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder
2023-08-03AhnLabASEC
@online{asec:20230803:reptile:ee853ee, author = {ASEC}, title = {{Reptile Malware Targeting Linux Systems}}, date = {2023-08-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/55785/}, language = {English}, urldate = {2023-08-07} } Reptile Malware Targeting Linux Systems
Melofee reptile Winnti
2023-03-28ExaTrackExaTrack
@online{exatrack:20230328:mlofe:6ca8f29, author = {ExaTrack}, title = {{Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts}}, date = {2023-03-28}, organization = {ExaTrack}, url = {https://blog.exatrack.com/melofee/}, language = {English}, urldate = {2023-03-29} } Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2020-06-16IntezerAviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-05-15ChronicleSilas Cutler, Juan Andrés Guerrero-Saade
@online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } Winnti: More than just Windows and Gates
Winnti APT41
Yara Rules
[TLP:WHITE] elf_winnti_w0 (20190518 | No description)
rule elf_winnti_w0 {
    meta:
        desc = "Detection of Linux variant of Winnti (main backdoor)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $uuid_lookup = "/usr/sbin/dmidecode  | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null"
        $dbg_msg = "[advNetSrv] can not create a PF_INET socket"
        $rtti_name1 = "CNetBase"
        $rtti_name2 = "CMyEngineNetEvent"
        $rtti_name3 = "CBufferCache"
        $rtti_name4 = "CSocks5Base"
        $rtti_name5 = "CDataEngine"
        $rtti_name6 = "CSocks5Mgr"
        $rtti_name7 = "CRemoteMsg"

    condition:
        ($dbg_msg and 1 of ($rtti*)) or (5 of ($rtti*)) or ($uuid_lookup and 2 of ($rtti*))
}
[TLP:WHITE] elf_winnti_w1 (20190518 | No description)
rule elf_winnti_w1 {
    meta:
        desc = "Detection of Linux variant of Winnti (azazel_fork)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 }
        $export1 = "our_sockets"
        $export2 = "get_our_pids" 
    condition:
        all of them    
}
Download all Yara Rules