Skip to content

G0044 Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.354 Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.2

Item Value
ID G0044
Associated Names Blackfly
Version 1.2
Created 31 May 2017
Last Modified 20 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Blackfly 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Winnti Group has registered domains for C2 that mimicked sites of their intended targets.3
enterprise T1083 File and Directory Discovery Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.3
enterprise T1105 Ingress Tool Transfer Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.3
enterprise T1057 Process Discovery Winnti Group looked for a specific process running on infected servers.3
enterprise T1014 Rootkit Winnti Group used a rootkit to modify typical server functionality.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Winnti Group used stolen certificates to sign its malware.3

Software

ID Name References Techniques
S0501 PipeMon 6 Bypass User Account Control:Abuse Elevation Control Mechanism Create Process with Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Print Processors:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Fallback Channels Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Shared Modules Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Time Discovery
S0013 PlugX 3 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0141 Winnti for Windows 35 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Environmental Keying:Execution Guardrails File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Internal Proxy:Proxy External Proxy:Proxy Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services

References

  1. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. 

  2. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. 

  3. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  4. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  5. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. 

  6. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.