Researchers Analyze the Linux Variant of Winnti Malware

Tuesday, May 28, 2019

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Chronicle, the cybersecurity arm of Google’s parent Alphabet, has identified and analyzed samples of the Winnti malware that have been designed specifically for the Linux platform.

Believed to be operating out of China, the Winnti group was initially discovered in 2012, but is believed to have been operating since at least 2009, targeting software companies, particularly those in the gaming sector, for industrial cyber-espionage purposes.

Recent reports suggested that various Chinese actors might be sharing tools, and the Winnti malware family too might have been used by multiple groups. The threat has been used in numerous attacks, with the most recent ones observed in April 2019.

The Linux version of Winnti, Chronicle’s security researchers reveal, is comprised of the main backdoor (libxselinux) and a library (libxselinux.so) designed to hide the malicious activity on the infected system.

The same as other variants of the malware, the Linux iteration was designed to handle communication with the command and control (C&C) server, as well as the deployment of modules. Plugins commonly deployed support remote command execution, file exfiltration, and socks5 proxying on the host.

The libxselinux.so library, which is a copy of the open-source userland rootkit Azazel, but with some changes, registers symbols for multiple commonly used functions and modifies their returns to hide the malware’s operations.

The Winnti-modified version of the rootkit keeps a list of process identifiers and network connections associated with the malware’s activity.

When executed, the Winnti Linux variant’s main backdoor decodes an embedded configuration that is similar in structure to the variant used in the Winnti 2.0 version of the Windows malware (detailed more than five years ago).

The analyzed sample’s configuration included three command-and-control server addresses and two additional strings that Chronicle’s security researchers believe to be campaign designators.

The identified Winnti Linux samples fall under three distinct campaign designators, but ranged from target names, geographic areas, industry, and profanity.

The malware uses multiple protocols for outbound communications, including ICMP, HTTP, and custom TCP and UDP protocols, a feature already documented in previous reports.

A function that hasn’t received enough attention, however, allows the operators to initiate a connection directly to an infected host, without requiring a connection to a control server. This ensures that communication is still possible even when access to the hard-coded control servers is disrupted.

“Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts. This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts,” the researchers explain.

Winnti-related activity, Chronicle notes, has been intensively analyzed by the security community, which attributed it to different codenamed threat actors that have already demonstrated their expertise in compromising Windows-based environments.

“An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant,” Chronicle concludes.

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Related: Winnti Group Uses GitHub for C&C Communications

45098
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.