SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.winnti (Back to overview)

Winnti

Actor(s): Winnti Umbrella


There is no description at this point.

References
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-08-03AhnLabASEC
Reptile Malware Targeting Linux Systems
Melofee reptile Winnti
2023-03-28ExaTrackExaTrack
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
HelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY
2020-06-16IntezerAviygayil Mechtinger
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-01-01SecureworksSecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-05-15ChronicleJuan Andrés Guerrero-Saade, Silas Cutler
Winnti: More than just Windows and Gates
Winnti APT41
Yara Rules
[TLP:WHITE] elf_winnti_w0 (20190518 | No description)
rule elf_winnti_w0 {
    meta:
        desc = "Detection of Linux variant of Winnti (main backdoor)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $uuid_lookup = "/usr/sbin/dmidecode  | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null"
        $dbg_msg = "[advNetSrv] can not create a PF_INET socket"
        $rtti_name1 = "CNetBase"
        $rtti_name2 = "CMyEngineNetEvent"
        $rtti_name3 = "CBufferCache"
        $rtti_name4 = "CSocks5Base"
        $rtti_name5 = "CDataEngine"
        $rtti_name6 = "CSocks5Mgr"
        $rtti_name7 = "CRemoteMsg"

    condition:
        ($dbg_msg and 1 of ($rtti*)) or (5 of ($rtti*)) or ($uuid_lookup and 2 of ($rtti*))
}
[TLP:WHITE] elf_winnti_w1 (20190518 | No description)
rule elf_winnti_w1 {
    meta:
        desc = "Detection of Linux variant of Winnti (azazel_fork)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 }
        $export1 = "our_sockets"
        $export2 = "get_our_pids" 
    condition:
        all of them    
}
Download all Yara Rules