Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)
ID: G0044
Associated Groups: Blackfly
Version: 1.2
Created: 31 May 2017
Last Modified: 16 Apr 2025

Associated Group Descriptions

Name Description
Blackfly (Citation: Symantec Suckfly March 2016)

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Winnti Group has registered domains for C2 that mimicked sites of their intended targets.(Citation: Kaspersky Winnti April 2013)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Winnti Group used stolen certificates to sign its malware.(Citation: Kaspersky Winnti April 2013)

Software

ID Name References Techniques
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Kaspersky Winnti April 2013) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0501 PipeMon (Citation: ESET PipeMon May 2020) Fileless Storage, Shared Modules, Encrypted/Encoded File, Bypass User Account Control, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, Print Processors, Code Signing, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Modify Registry, Create Process with Token, System Network Configuration Discovery, Process Discovery, Parent PID Spoofing, Non-Application Layer Protocol, Security Software Discovery, Ingress Tool Transfer, Fallback Channels, System Time Discovery, Dynamic-link Library Injection
S0141 Winnti for Windows (Citation: 401 TRG Winnti Umbrella May 2018) (Citation: Chronicle Winnti for Linux May 2019) (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) Rundll32, Encrypted/Encoded File, Bypass User Account Control, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Timestomp, External Proxy, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, Non-Application Layer Protocol, File Deletion, Web Protocols, Ingress Tool Transfer, Service Execution, Environmental Keying, Internal Proxy, Compression

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.