Winnti group’s attack platform is based on decade old malware
“Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer. The threat, which they name HDRoot after the original tools name HDD Rootkit, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.
The Winnti criminal organization is known for industrial cyberespionage campaigns targeting software companies, especially those in the gaming industry. Recently it has also been observed to be targeting pharmaceutical businesses.
HDRoot was discovered when an intriguing sample of malware sparked the interest of the researchers for the following reasons:
- It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was known to have abused to sign other tools;
- The properties and output text of the executable were spoofed to make it look like a Microsofts Net Command net.exe, obviously to reduce the risk of system administrators exposing the program as hostile.
Taken together, this made the sample look suitably suspicious. Further analysis showed that the HDRoot bootkit is a universal platform for a sustainable and persistent appearance in a system and it can be used to launch any other tool.
The researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea – AhnLabs V3 Lite, AhnLabs V3 365 Clinic and ESTsofts ALYac. The Winnti group could have used it to launch malware products on target machines in South Korea.
According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in South East Asia; with other targets in this region including organizations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in one in Russia, both of which have previously been targeted by the Winnti group.
The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. Thats why we rarely see any complicated code encryption, because that would attract attention. The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations dont always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher, said Dmitry Tarakanov, senior security researcher, Kaspersky Lab Global Research and Analysis Team.
The development of the HDD Rootkit in 2006 is likely to be the work of someone who went on to join the Winnti group when it was set up, likely in 2009. However, there is a possibility that Winnti made use of third-party software or the utility and source code were available on the Chinese or other cybercriminal black market. Since Kaspersky Lab started to add detections, the group behind the attacks has started to adapt them in less than one month, a new modification was identified.”