Winnti for Windows
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Winnti for Windows can use a variant of the sysprep UAC bypass.(Citation: Novetta Winnti April 2015) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.(Citation: Novetta Winnti April 2015) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Winnti for Windows can add a service named |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.(Citation: Microsoft Winnti Jan 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Winnti for Windows can XOR encrypt C2 traffic.(Citation: Novetta Winnti April 2015) |
| Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.(Citation: Novetta Winnti April 2015) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Winnti for Windows can delete the DLLs for its various components from a compromised host.(Citation: Novetta Winnti April 2015) |
| .006 | Indicator Removal: Timestomp |
Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.(Citation: Novetta Winnti April 2015) |
||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
The Winnti for Windows HTTP/S C2 mode can make use of a local proxy.(Citation: Novetta Winnti April 2015) |
| .002 | Proxy: External Proxy |
The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.(Citation: Novetta Winnti April 2015) |
||
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
The Winnti for Windows installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Winnti for Windows can run as a service using svchost.exe.(Citation: Novetta Winnti April 2015) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0044 | Winnti Group |
(Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) |
References
- Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.