Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Winnti Group
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Winnti Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)
ID: G0044
Associated Groups: Blackfly
Version: 1.2
Created: 31 May 2017
Last Modified: 15 Apr 2022

Associated Group Descriptions
Name Description
Blackfly (Citation: Symantec Suckfly March 2016)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Winnti Group has registered domains for C2 that mimicked sites of their intended targets.(Citation: Kaspersky Winnti April 2013)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Winnti Group used stolen certificates to sign its malware.(Citation: Kaspersky Winnti April 2013)

Software
ID Name References Techniques
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Kaspersky Winnti April 2013) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0501 PipeMon (Citation: ESET PipeMon May 2020) Create Process with Token, System Information Discovery, Modify Registry, Obfuscated Files or Information, Ingress Tool Transfer, Dynamic-link Library Injection, Print Processors, Non-Application Layer Protocol, Bypass User Account Control, Process Discovery, System Time Discovery, Symmetric Cryptography, Parent PID Spoofing, Deobfuscate/Decode Files or Information, Native API, Windows Service, Code Signing, Fallback Channels, Match Legitimate Name or Location, System Network Configuration Discovery, Security Software Discovery, Shared Modules
S0141 Winnti for Windows (Citation: 401 TRG Winnti Umbrella May 2018) (Citation: Chronicle Winnti for Linux May 2019) (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) Native API, Windows Service, Symmetric Cryptography, File and Directory Discovery, External Proxy, Non-Application Layer Protocol, Process Discovery, Registry Run Keys / Startup Folder, Internal Proxy, Rundll32, Bypass User Account Control, System Information Discovery, Service Execution, Ingress Tool Transfer, File Deletion, Timestomp, Obfuscated Files or Information, Deobfuscate/Decode Files or Information, Web Protocols, Match Legitimate Name or Location, Environmental Keying

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  3. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  4. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  5. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
  6. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.