Connecting the dots: Exposing the arsenal and
methods of the Winnti Group
New ESET white paper released describing updates to
the malware arsenal and campaigns of this group known for its supply-chain
attacks
Today, ESET Research releases a white paper
updating our understanding of the Winnti Group. Last March, ESET researchers
warned about a new supply-chain attack targeting
video game developers in Asia. Following that publication, we continued those investigations in two
directions. We were interested in finding any subsequent malware stages
delivered by that attack, and we also tried to find how the targeted developers
and publishers were compromised to deliver the Winnti Group’s malware in their
applications.
While we continued that investigation of the Winnti
Group, additional reports on their activities were published. Kaspersky
released details about the ShadowHammer malware that was found in the Asus Live
Update utility.
That report also mentioned some of the techniques
we describe in detail in this new white paper, such as the existence of a
VMProtect packer and a brief description of the PortReuse backdoor.
FireEye also published a paper about a group it calls APT41. Our
research confirms some of their findings regarding the subsequent stages in
some of the supply-chain attacks, such as the use of compromised hosts for
mining cryptocurrencies.
Our white paper provides a technical analysis of
the recent malware used by the Winnti Group. This analysis further refines our
understanding of their techniques and allows us to infer relationships between
the different supply-chain incidents.
We hope the white paper and indicators of
compromise we release today will help targeted organizations find if they are
victims or prevent future compromise.
There are lots of reports about this group’s — or
perhaps these groups’ — activities. It seems each report gives new names to the
group and the malware. Sometimes, this has been because the link with existing
research wasn’t strong enough to classify the malware and activities of
interest under a previous name, or, because vendors or research groups have
their own classifications and naming and used them in their public reporting.
For someone who doesn’t actually analyze the malware samples, it can be
difficult to confirm aliases and easy to add more confusion.
We have chosen to keep the name “Winnti Group”
since it’s the name first used to identify it, in 2013, by Kaspersky. We do
understand Winnti is also a malware family: that is why we always write
Winnti Group when we refer to the malefactors behind the
attacks. Since 2013, it was demonstrated that Winnti is only one of the many
malware families used by the Winnti Group.
To be clear, we do not exclude the idea that there
might be multiple groups using the Winnti malware. For the scope of our
research we refer to them as potential subgroups of the Winnti Group because
there is no evidence they are completely isolated. Our definition of the Winnti
Group is broad enough to include all these subgroups because it is based
mainly on the malware and techniques they use.
Our white paper has a section describing the names
we use and their aliases.
Read the complete article on