Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Winnti for Windows

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under Winnti for Linux.(Citation: Chronicle Winnti for Linux May 2019)
ID: S0141
Type: MALWARE
Platforms: Windows
Version: 3.1
Created: 31 May 2017
Last Modified: 10 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Winnti for Windows can use a variant of the sysprep UAC bypass.(Citation: Novetta Winnti April 2015)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.(Citation: Novetta Winnti April 2015)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Winnti for Windows can add a service named wind0ws to the Registry to achieve persistence after reboot.(Citation: Novetta Winnti April 2015)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.(Citation: Microsoft Winnti Jan 2017)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Winnti for Windows can XOR encrypt C2 traffic.(Citation: Novetta Winnti April 2015)

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.(Citation: Novetta Winnti April 2015)

Enterprise T1070 .004 Indicator Removal: File Deletion

Winnti for Windows can delete the DLLs for its various components from a compromised host.(Citation: Novetta Winnti April 2015)

.006 Indicator Removal: Timestomp

Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.(Citation: Novetta Winnti April 2015)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Winnti for Windows has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)

Enterprise T1090 .001 Proxy: Internal Proxy

The Winnti for Windows HTTP/S C2 mode can make use of a local proxy.(Citation: Novetta Winnti April 2015)

.002 Proxy: External Proxy

The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.(Citation: Novetta Winnti April 2015)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

The Winnti for Windows installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)

Enterprise T1569 .002 System Services: Service Execution

Winnti for Windows can run as a service using svchost.exe.(Citation: Novetta Winnti April 2015)

Groups That Use This Software

ID Name References
G0143 Aquatic Panda

(Citation: Crowdstrike HuntReport 2022)

G0044 Winnti Group

(Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.