SECURITY BOFFINS claim to have unearthed a Linux version of the Winnti malware.
Chronicle, part of Alphabet’s portfolio of companies, says the Linux variant’s code bears a close resemblance to the Winnti 2.0 Windows version, a hacking tool associated with Chinese cybercriminals for the past decade and used in attacks on systems worldwide.
It was believed to be behind a supply chain attack on a South Korean software company in 2017.
Security experts believe that a number of APT groups currently operate under the Winnti umbrella; these hese include groups labelled Winnti, APT17, Gref, BARIUM, PlayfullDragon, Wicked Panda, DeputyDog, LEAD, Axiom, ShadowPad and PassCV.
These groups have been observed to use similar strategies and techniques and, in some cases, they even shared parts of the same hacking infrastructure.
According to the researchers, the Linux variant of Winnti is designed to work as a backdoor on infected hosts and enables hackers to gain access to the compromised system.
They found the variant while investigating a cyber attack carried out last month on pharmaceutical giant Bayer.
The experts were trying to look for Winnti malware samples on VirusTotal platform when they spotted the Linux variant, which dated back to 2015.
Analysis of the Linux variant revealed that it contains two files: the main backdoor Trojan (libxselinux) and a library (libxselinux.so) used to hide the malware.
“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers,” the researchers wrote in a blog.
“During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux,” they added.
Further analysis of malware revealed many code similarities between the Winnti 2.0 Windows version and the Linux variant.
According to researchers, both variants can communicate with their control and command servers using a variety of protocols, including HTTP, ICMP, and custom TCP/UDP protocols.
Another feature similar to both versions is that they enable their controllers to open a connection to infected hosts without requiring command and control servers. Experts believe this feature enables hackers to directly access infected hosts when access to a C&C server is interrupted.AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office’s Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC’s Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.
>> Source Link