SYMBOLCOMMON_NAMEaka. SYNONYMS
win.winnti (Back to overview)

Winnti

aka: BleDoor, JUMPALL, RbDoor, Pasteboy

Actor(s): Axiom


There is no description at this point.

References
2022-10-25VMware Threat Analysis UnitTakahiro Haruyama
@techreport{haruyama:20221025:tracking:1f60260, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning}}, date = {2022-10-25}, institution = {VMware Threat Analysis Unit}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-09-19Virus BulletinTakahiro Haruyama
@techreport{haruyama:20220919:tracking:bffa146, author = {Takahiro Haruyama}, title = {{Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning}}, date = {2022-09-19}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf}, language = {English}, urldate = {2022-11-01} } Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning
ShadowPad Winnti
2022-05-12TEAMT5Leon Chang, Silvia Yeh
@techreport{chang:20220512:next:5fd8a83, author = {Leon Chang and Silvia Yeh}, title = {{The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)}}, date = {2022-05-12}, institution = {TEAMT5}, url = {https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf}, language = {English}, urldate = {2022-08-08} } The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:0d23595, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques}, language = {English}, urldate = {2022-05-09} } Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
PRIVATELOG Spyder STASHLOG Winnti
2022-05-04CybereasonChen Erlich, Fusao Tanida, Ofir Ozer, Akihiro Tomita, Niv Yona, Daniel Frank, Assaf Dahan
@online{erlich:20220504:operation:e40ec58, author = {Chen Erlich and Fusao Tanida and Ofir Ozer and Akihiro Tomita and Niv Yona and Daniel Frank and Assaf Dahan}, title = {{Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive}}, date = {2022-05-04}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive}, language = {English}, urldate = {2022-05-05} } Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
PRIVATELOG Spyder STASHLOG Winnti
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-01-17Trend MicroJoseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
@techreport{chen:20220117:delving:4cd2b1c, author = {Joseph Chen and Kenney Lu and Gloria Chen and Jaromír Hořejší and Daniel Lunghi and Cedric Pernet}, title = {{Delving Deep: An Analysis of Earth Lusca’s Operations}}, date = {2022-01-17}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf}, language = {English}, urldate = {2022-07-25} } Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2021-11-16vmwareTakahiro Haruyama
@online{haruyama:20211116:monitoring:e4ca54e, author = {Takahiro Haruyama}, title = {{Monitoring Winnti 4.0 C2 Servers for Two Years}}, date = {2021-11-16}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html}, language = {English}, urldate = {2021-11-17} } Monitoring Winnti 4.0 C2 Servers for Two Years
Winnti
2021-09-28Recorded FutureInsikt Group®
@online{group:20210928:4:069b441, author = {Insikt Group®}, title = {{4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan}}, date = {2021-09-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/}, language = {English}, urldate = {2021-10-11} } 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-21Recorded FutureInsikt Group®
@techreport{group:20210921:chinalinked:8959683, author = {Insikt Group®}, title = {{China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware}}, date = {2021-09-21}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf}, language = {English}, urldate = {2021-10-11} } China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware
Winnti
2021-09-14McAfeeChristiaan Beek
@online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-07-08YouTube (PT Product Update)Denis Kuvshinov
@online{kuvshinov:20210708:how:ea6d201, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, organization = {YouTube (PT Product Update)}, url = {https://www.youtube.com/watch?v=_fstHQSK-kk}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-07-08Recorded FutureInsikt Group®
@online{group:20210708:chinese:98d34d3, author = {Insikt Group®}, title = {{Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling}}, date = {2021-07-08}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/}, language = {English}, urldate = {2021-07-12} } Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
ShadowPad Spyder Winnti
2021-07-08PTSecurityDenis Kuvshinov
@techreport{kuvshinov:20210708:how:2e5a659, author = {Denis Kuvshinov}, title = {{How winnti APT grouping works}}, date = {2021-07-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf}, language = {Russian}, urldate = {2021-09-20} } How winnti APT grouping works
Korlia ShadowPad Winnti
2021-04-29NTTThreat Detection NTT Ltd.
@techreport{ltd:20210429:operations:a7ad0d4, author = {Threat Detection NTT Ltd.}, title = {{The Operations of Winnti group}}, date = {2021-04-29}, institution = {NTT}, url = {https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf}, language = {English}, urldate = {2021-08-09} } The Operations of Winnti group
Cobalt Strike ShadowPad Spyder Winnti Earth Lusca
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-20FireEyeAndrew Davis
@online{davis:20210120:emulation:4061f1c, author = {Andrew Davis}, title = {{Emulation of Kernel Mode Rootkits With Speakeasy}}, date = {2021-01-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html}, language = {English}, urldate = {2021-01-25} } Emulation of Kernel Mode Rootkits With Speakeasy
Winnti
2020-12-24IronNetAdam Hlavek
@online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-12Malwarebytes LabsRoberto Santos, Hossein Jazi, Jérôme Segura, Malwarebytes Threat Intelligence Team
@techreport{santos:20201012:winnti:597eacc, author = {Roberto Santos and Hossein Jazi and Jérôme Segura and Malwarebytes Threat Intelligence Team}, title = {{Winnti APT group docks in Sri Lanka for new campaign}}, date = {2020-10-12}, institution = {Malwarebytes Labs}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf}, language = {English}, urldate = {2022-11-18} } Winnti APT group docks in Sri Lanka for new campaign
DBoxAgent SerialVlogger Winnti
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon
2020-04-20QuoScientQuoIntelligence
@online{quointelligence:20200420:winnti:6a4fb66, author = {QuoIntelligence}, title = {{WINNTI GROUP: Insights From the Past}}, date = {2020-04-20}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/}, language = {English}, urldate = {2020-04-21} } WINNTI GROUP: Insights From the Past
Winnti
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-03-03GIthub (superkhung)superkhung
@online{superkhung:20200303:github:8ea37ed, author = {superkhung}, title = {{GitHub Repository: winnti-sniff}}, date = {2020-03-03}, organization = {GIthub (superkhung)}, url = {https://github.com/superkhung/winnti-sniff}, language = {English}, urldate = {2020-03-04} } GitHub Repository: winnti-sniff
Winnti
2020-02-20Carbon BlackTakahiro Haruyama
@online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)
Winnti
2020-01-31TagesschauJan Lukas Strozyk
@online{strozyk:20200131:deutsches:d0a9221, author = {Jan Lukas Strozyk}, title = {{Deutsches Chemieunternehmen gehackt}}, date = {2020-01-31}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html}, language = {German}, urldate = {2020-02-03} } Deutsches Chemieunternehmen gehackt
Winnti
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
2019-10CrowdStrikeKarl Scheuerman, Piotr Wojtyla
@online{scheuerman:201910:dont:11aa9dc, author = {Karl Scheuerman and Piotr Wojtyla}, title = {{Don't miss the forest for the trees gleaning hunting value from too much intrusion data}}, date = {2019-10}, organization = {CrowdStrike}, url = {https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html}, language = {English}, urldate = {2021-03-31} } Don't miss the forest for the trees gleaning hunting value from too much intrusion data
Winnti
2019-09-30LastlineJason Zhang, Stefano Ortolani
@online{zhang:20190930:helo:559ed11, author = {Jason Zhang and Stefano Ortolani}, title = {{HELO Winnti: Attack or Scan?}}, date = {2019-09-30}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/helo-winnti-attack-scan/}, language = {English}, urldate = {2019-10-23} } HELO Winnti: Attack or Scan?
Winnti
2019-09-23MITREMITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7, author = {MITRE ATT&CK}, title = {{APT41}}, date = {2019-09-23}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0096}, language = {English}, urldate = {2022-08-30} } APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-04CarbonBlackTakahiro Haruyama
@online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } CB TAU Threat Intelligence Notification: Winnti Malware 4.0
Winnti
2019-09-04FireEyeFireEye
@online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } APT41: Double Dragon APT41, a dual espionage and cyber crime operation
EASYNIGHT Winnti
2019-08-09FireEyeFireEye
@online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } Double Dragon APT41, a dual espionage and cyber crime operation
CLASSFON crackshot CROSSWALK GEARSHIFT HIGHNOON HIGHNOON.BIN JUMPALL poisonplug Winnti
2019-07-24Github (br-data)Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:winnti:25b27fb, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Winnti analysis}}, date = {2019-07-24}, organization = {Github (br-data)}, url = {https://github.com/br-data/2019-winnti-analyse/}, language = {English}, urldate = {2019-12-10} } Winnti analysis
Winnti
2019-07-24Bayerischer RundfunkHakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer, Rebecca Ciesielski
@online{tanriverdi:20190724:attacking:66ef327, author = {Hakan Tanriverdi and Svea Eckert and Jan Strozyk and Maximilian Zierer and Rebecca Ciesielski}, title = {{Attacking the Heart of the German Industry}}, date = {2019-07-24}, organization = {Bayerischer Rundfunk}, url = {http://web.br.de/interaktiv/winnti/english/}, language = {English}, urldate = {2019-11-29} } Attacking the Heart of the German Industry
Winnti
2019-04-22Trend MicroMohamad Mokbel
@online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-05-22Github (TKCERT)thyssenkrupp CERT
@online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } Nmap Script to scan for Winnti infections
Winnti
2018-03-05Github (TKCERT)TKCERT
@online{tkcert:20180305:suricata:0b45f94, author = {TKCERT}, title = {{Suricata rules to detect Winnti communication}}, date = {2018-03-05}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-suricata-lua}, language = {English}, urldate = {2020-01-07} } Suricata rules to detect Winnti communication
Winnti
2017-04-19Trend MicroTrendmicro
@online{trendmicro:20170419:of:1656f97, author = {Trendmicro}, title = {{Of Pigs and Malware: Examining a Possible Member of the Winnti Group}}, date = {2017-04-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/}, language = {English}, urldate = {2019-12-04} } Of Pigs and Malware: Examining a Possible Member of the Winnti Group
Winnti
2017-03-22Trend MicroCedric Pernet
@online{pernet:20170322:winnti:bfd35bc, author = {Cedric Pernet}, title = {{Winnti Abuses GitHub for C&C Communications}}, date = {2017-03-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/}, language = {English}, urldate = {2019-07-09} } Winnti Abuses GitHub for C&C Communications
Winnti
2016-03-06Github (TKCERT)thyssenkrupp CERT
@online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } Network detector for Winnti malware
Winnti
2015-06-22Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20150622:games:aba8183, author = {Dmitry Tarakanov}, title = {{Games are over: Winnti is now targeting pharmaceutical companies}}, date = {2015-06-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/games-are-over/70991/}, language = {English}, urldate = {2019-12-20} } Games are over: Winnti is now targeting pharmaceutical companies
Winnti APT41
2015-04-06NovettaNovetta
@techreport{novetta:20150406:winnti:acc4030, author = {Novetta}, title = {{WINNTI ANALYSIS}}, date = {2015-04-06}, institution = {Novetta}, url = {https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf}, language = {English}, urldate = {2020-01-10} } WINNTI ANALYSIS
Winnti
2015RuxconMatt McCormack
@techreport{mccormack:2015:why:fa3d041, author = {Matt McCormack}, title = {{WHY ATTACKER TOOLSETS DO WHAT THEY DO}}, date = {2015}, institution = {Ruxcon}, url = {http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf}, language = {English}, urldate = {2020-01-08} } WHY ATTACKER TOOLSETS DO WHAT THEY DO
Winnti
2013-04Kaspersky LabsGReAT
@techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } Winnti - More than just a game
portless Winnti
Yara Rules
[TLP:WHITE] win_winnti_auto (20221125 | Detects win.winnti.)
rule win_winnti_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.winnti."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8b4b44 8b5348 8b6b14 33ff 8d3401 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8b4b44               | mov                 ecx, dword ptr [ebx + 0x44]
            //   8b5348               | mov                 edx, dword ptr [ebx + 0x48]
            //   8b6b14               | mov                 ebp, dword ptr [ebx + 0x14]
            //   33ff                 | xor                 edi, edi
            //   8d3401               | lea                 esi, [ecx + eax]

        $sequence_1 = { 50 ffd5 e9???????? 66397c241a 750f }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ffd5                 | call                ebp
            //   e9????????           |                     
            //   66397c241a           | cmp                 word ptr [esp + 0x1a], di
            //   750f                 | jne                 0x11

        $sequence_2 = { 7706 397c2424 7679 a1???????? 85c0 7470 }
            // n = 6, score = 200
            //   7706                 | ja                  8
            //   397c2424             | cmp                 dword ptr [esp + 0x24], edi
            //   7679                 | jbe                 0x7b
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7470                 | je                  0x72

        $sequence_3 = { 3bc3 0f8508010000 33c0 8bfd 83c9ff 89442410 }
            // n = 6, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   0f8508010000         | jne                 0x10e
            //   33c0                 | xor                 eax, eax
            //   8bfd                 | mov                 edi, ebp
            //   83c9ff               | or                  ecx, 0xffffffff
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_4 = { 83ec10 56 57 6a00 6a01 8bf1 }
            // n = 6, score = 200
            //   83ec10               | sub                 esp, 0x10
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8bf1                 | mov                 esi, ecx

        $sequence_5 = { 51 52 68???????? 8d84243c020000 6800020000 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     
            //   8d84243c020000       | lea                 eax, [esp + 0x23c]
            //   6800020000           | push                0x200

        $sequence_6 = { 56 8bf1 8b4624 85c0 740e }
            // n = 5, score = 200
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4624               | mov                 eax, dword ptr [esi + 0x24]
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10

        $sequence_7 = { ffd5 8b44241c 3d08020000 7387 3bc7 }
            // n = 5, score = 200
            //   ffd5                 | call                ebp
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   3d08020000           | cmp                 eax, 0x208
            //   7387                 | jae                 0xffffff89
            //   3bc7                 | cmp                 eax, edi

        $sequence_8 = { 8943f8 8b42f4 8943fc 8b42f8 8903 }
            // n = 5, score = 100
            //   8943f8               | je                  0x79
            //   8b42f4               | nop                 
            //   8943fc               | dec                 eax
            //   8b42f8               | lea                 ecx, [0x8262]
            //   8903                 | dec                 eax

        $sequence_9 = { 7525 488bc8 ff15???????? 488bc8 }
            // n = 4, score = 100
            //   7525                 | mov                 ebx, dword ptr [esp + 0x50]
            //   488bc8               | mov                 eax, 0xfffffffe
            //   ff15????????         |                     
            //   488bc8               | inc                 ecx

        $sequence_10 = { 418800 4180fa0f 0f8625feffff 41800801 e9???????? 488b742428 }
            // n = 6, score = 100
            //   418800               | mov                 eax, 0x28
            //   4180fa0f             | dec                 eax
            //   0f8625feffff         | mov                 edi, dword ptr [esp + 0x58]
            //   41800801             | mov                 dword ptr [ebx + 0x14], 0xfffffffe
            //   e9????????           |                     
            //   488b742428           | mov                 eax, 0xfffffffe

        $sequence_11 = { b801000080 0fa2 f7c200001020 895c2404 488b5c2420 }
            // n = 5, score = 100
            //   b801000080           | mov                 byte ptr [eax], al
            //   0fa2                 | inc                 ecx
            //   f7c200001020         | cmp                 dl, 0xf
            //   895c2404             | jbe                 0xfffffe2f
            //   488b5c2420           | inc                 ecx

        $sequence_12 = { 498bd4 488bcd e8???????? 85c0 751a 488d1500720000 41b810200100 }
            // n = 7, score = 100
            //   498bd4               | dec                 ebp
            //   488bcd               | lea                 esp, [ebp + 0x40]
            //   e8????????           |                     
            //   85c0                 | dec                 ebp
            //   751a                 | test                esp, esp
            //   488d1500720000       | dec                 ecx
            //   41b810200100         | mov                 ebp, esp

        $sequence_13 = { 75d2 488b4e50 e8???????? 4c396e58 }
            // n = 4, score = 100
            //   75d2                 | add                 esp, 0x20
            //   488b4e50             | inc                 ecx
            //   e8????????           |                     
            //   4c396e58             | pop                 edi

        $sequence_14 = { 488bda 8bf9 0f858a000000 488bca e8???????? 488d1578c50a00 }
            // n = 6, score = 100
            //   488bda               | jne                 0x37
            //   8bf9                 | inc                 ecx
            //   0f858a000000         | cmp                 ecx, 0x30
            //   488bca               | jne                 0x31
            //   e8????????           |                     
            //   488d1578c50a00       | dec                 esp

        $sequence_15 = { 4889442468 0fb68540050000 4c8d1d27390000 4c8d442430 48894588 498b4640 }
            // n = 6, score = 100
            //   4889442468           | lea                 eax, [ebx + 0x18]
            //   0fb68540050000       | dec                 eax
            //   4c8d1d27390000       | lea                 edx, [ebx + 0x20]
            //   4c8d442430           | dec                 eax
            //   48894588             | mov                 ecx, ebp
            //   498b4640             | mov                 eax, 0x80000001

        $sequence_16 = { 7423 488d78f8 4c8d0da8e9ffff 448b07 ba38000000 488bc8 }
            // n = 6, score = 100
            //   7423                 | test                eax, eax
            //   488d78f8             | dec                 eax
            //   4c8d0da8e9ffff       | mov                 dword ptr [ebp + 0x10f0], eax
            //   448b07               | je                  0xf5
            //   ba38000000           | dec                 eax
            //   488bc8               | mov                 ecx, eax

        $sequence_17 = { 488d0d62820000 e8???????? 4883c438 c3 4d85c0 }
            // n = 5, score = 100
            //   488d0d62820000       | dec                 eax
            //   e8????????           |                     
            //   4883c438             | mov                 eax, dword ptr [ebp + 8]
            //   c3                   | inc                 ecx
            //   4d85c0               | mov                 ah, 1

        $sequence_18 = { 41b828000000 e8???????? 488b7c2458 c74314feffffff b8feffffff 4883c430 }
            // n = 6, score = 100
            //   41b828000000         | dec                 eax
            //   e8????????           |                     
            //   488b7c2458           | mov                 ebx, dword ptr [esp + 0x88]
            //   c74314feffffff       | dec                 ecx
            //   b8feffffff           | cmp                 eax, edx
            //   4883c430             | je                  0xa

        $sequence_19 = { 0fb610 488d4001 84c9 7404 3aca }
            // n = 5, score = 100
            //   0fb610               | xor                 eax, eax
            //   488d4001             | dec                 eax
            //   84c9                 | mov                 esi, dword ptr [esp + 0x78]
            //   7404                 | dec                 eax
            //   3aca                 | mov                 ebx, dword ptr [esp + 0x70]

        $sequence_20 = { 33d2 e8???????? 8bc7 ebc0 b8feffffff 488b9c2488000000 }
            // n = 6, score = 100
            //   33d2                 | dec                 esp
            //   e8????????           |                     
            //   8bc7                 | lea                 ebx, [esp + 0x50]
            //   ebc0                 | dec                 ecx
            //   b8feffffff           | mov                 ebp, dword ptr [ebx + 0x30]
            //   488b9c2488000000     | jne                 0xffffffd4

        $sequence_21 = { 48895c2430 488b06 48833c0700 742a 488b0c07 4885c9 }
            // n = 6, score = 100
            //   48895c2430           | cmp                 dword ptr [ecx + 0x30], -1
            //   488b06               | jne                 0x15
            //   48833c0700           | jbe                 8
            //   742a                 | add                 dword ptr [edi + 0x28], -1
            //   488b0c07             | jmp                 0x49
            //   4885c9               | mov                 dword ptr [edi], 0x18900916

        $sequence_22 = { 488d0d34b30a00 483bd9 723e 488d05b8b60a00 483bd8 }
            // n = 5, score = 100
            //   488d0d34b30a00       | cpuid               
            //   483bd9               | test                edx, 0x20100000
            //   723e                 | mov                 dword ptr [esp + 4], ebx
            //   488d05b8b60a00       | dec                 eax
            //   483bd8               | mov                 ebx, dword ptr [esp + 0x20]

        $sequence_23 = { 39a98c000000 7f58 448d6c2d04 4963cd 48c1e103 }
            // n = 5, score = 100
            //   39a98c000000         | add                 esp, 0x38
            //   7f58                 | ret                 
            //   448d6c2d04           | dec                 ebp
            //   4963cd               | test                eax, eax
            //   48c1e103             | dec                 eax

    condition:
        7 of them and filesize < 1581056
}
[TLP:WHITE] win_winnti_w0   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w0 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $load_magic = { C7 44 ?? ?? FF D8 FF E0 }
        $iter = { E9 EA EB EC ED EE EF F0 }
        $jpeg = { FF D8 FF E0 00 00 00 00 00 00 }

    condition:
        uint16(0) == 0x5a4d and
        $jpeg and
        ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
        for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
[TLP:WHITE] win_winnti_w1   (20190822 | rules used for retrohunting by BR Data.)
rule win_winnti_w1 {
    meta:
        author = "BR Data"
        source = "https://github.com/br-data/2019-winnti-analyse/"
        date = "2019-07-24"
        description = "rules used for retrohunting by BR Data."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20190822"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cooper = "Cooper"
        $pattern = { e9 ea eb ec ed ee ef f0}
    condition:
        uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
[TLP:WHITE] win_winnti_w2   (20191207 | No description)
rule win_winnti_w2 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
        $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
        $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
        $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
    condition:
        (any of ($e*))
}
[TLP:WHITE] win_winnti_w3   (20191207 | No description)
rule win_winnti_w3 {
    meta:
        author = "Bundesamt fuer Verfassungsschutz"
        source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti"
        malpedia_version = "20191207"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $a1 = "IPSecMiniPort" wide fullword
        $a2 = "ndis6fw" wide fullword
        $a3 = "TCPIP" wide fullword
        $a4 = "NDIS.SYS" ascii fullword
        $a5 = "ntoskrnl.exe" ascii fullword
        $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
        $a7 = "\\Device\\Null" wide
        $a8 = "\\Device" wide
        $a9 = "\\Driver" wide
        $b1 = { 66 81 7? ?? 70 17 }
        $b2 = { 81 7? ?? 07 E0 15 00 }
        $b3 = { 8B 46 18 3D 03 60 15 00 }
    condition:
        (6 of ($a*)) and (2 of ($b*))
}
Download all Yara Rules