Winnti Linux variant used in 2015 in the hack of a Vietnamese gaming company.
For the first time, security researchers have uncovered and analyzed a Linux variant of Winnti, one of the favorite hacking tools used by Beijing hackers over the past decade.
Discovered by security researchers from Chronicle, Alphabet’s cyber-security division, the Linux version of the Winnti malware works as a backdoor on infected hosts, granting attackers access to compromised systems.
Chronicle says it discovered this Linux variant after news broke last month that Bayer, one of the world’s largest pharmaceutical companies, had been hit by Chinese hackers, and the Winnti malware was discovered on its systems.
During subsequent scans for Winnti malware on its VirusTotal platform, Chronicle said it spotted what appeared to be a Linux variant of Winnti, dating back to 2015 when it was used in the hack of a Vietnamese gaming company.
CONNECTIONS TO WINDOWS VARIANT
Chronicle says the malware they discovered was made up of two parts. A rootkit component to hide the malware on infected hosts, and the actual backdoor trojan.
Further analysis revealed code similarities between the Linux version and the Winnti 2.0 Windows version, as described in reports by Kaspersky Lab and Novetta.
Other connections with the Windows version also included the similar way in which the Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).
Last but not least, the Linux version also possessed another feature that was distinctive to the Windows version, which was the ability for Chinese hackers to initiate connections to infected hosts without going through the C&C servers.
“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers said in a report published last week.
LINUX MALWARE IS RARE
The discovery of this Winnti Linux variant also shows that state-sponsored actors won’t shy away from porting their malware to any platform they feel necessary.
State hacker groups linked to the US and Russian governments are known to use Linux malware.
“Linux specific tooling from Chinese APTs is rare but not unheard of,” Silas Cutler, Reverse Engineering Lead at Chronicle, told ZDNet via email. “Historically, tools such as HKdoor, Htran, and Derusbi all had Linux variants.”
But despite this, Linux malware is quite rare among nation-state hacking groups, as a whole, especially when compared to Windows tools.
“The lower prevalence may be because Linux provides ample opportunity for actors to ‘live off the land’ which renders customized tooling unnecessary,” Cutler told us.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!