SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.winnti (Back to overview)

Winnti

Actor(s): Winnti Umbrella


There is no description at this point.

References
2020-06-16IntezerAviygayil Mechtinger
@online{mechtinger:20200616:elf:7057d58, author = {Aviygayil Mechtinger}, title = {{ELF Malware Analysis 101: Linux Threats No Longer an Afterthought}}, date = {2020-06-16}, organization = {Intezer}, url = {https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought}, language = {English}, urldate = {2020-06-16} } ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2019-05-15ChronicleSilas Cutler, Juan Andrés Guerrero-Saade
@online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } Winnti: More than just Windows and Gates
Winnti Axiom
Yara Rules
[TLP:WHITE] elf_winnti_w0 (20190518 | No description)
rule elf_winnti_w0 {
    meta:
        desc = "Detection of Linux variant of Winnti (main backdoor)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $uuid_lookup = "/usr/sbin/dmidecode  | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null"
        $dbg_msg = "[advNetSrv] can not create a PF_INET socket"
        $rtti_name1 = "CNetBase"
        $rtti_name2 = "CMyEngineNetEvent"
        $rtti_name3 = "CBufferCache"
        $rtti_name4 = "CSocks5Base"
        $rtti_name5 = "CDataEngine"
        $rtti_name6 = "CSocks5Mgr"
        $rtti_name7 = "CRemoteMsg"

    condition:
        ($dbg_msg and 1 of ($rtti*)) or (5 of ($rtti*)) or ($uuid_lookup and 2 of ($rtti*))
}
[TLP:WHITE] elf_winnti_w1 (20190518 | No description)
rule elf_winnti_w1 {
    meta:
        desc = "Detection of Linux variant of Winnti (azazel_fork)"
        author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
        version = "1.0"
        date = "2019-05-15"
        TLP = "White"
        sha256 = "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti"
        malpedia_version = "20190518"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 }
        $export1 = "our_sockets"
        $export2 = "get_our_pids" 
    condition:
        all of them    
}
Download all Yara Rules