Skip to content

S0059 WinMM

WinMM is a full-featured, simple backdoor used by Naikon. 1

Item Value
ID S0059
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WinMM uses HTTP for C2.1
enterprise T1008 Fallback Channels WinMM is usually configured with primary and backup domains for C2 communications.1
enterprise T1083 File and Directory Discovery WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.1
enterprise T1057 Process Discovery WinMM sets a WH_CBT Windows hook to collect information on process creation.1
enterprise T1082 System Information Discovery WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.1
enterprise T1033 System Owner/User Discovery WinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system.1

Groups That Use This Software

ID Name References
G0019 Naikon 12

References

  1. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  2. ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China’s Unit 78020. Retrieved December 17, 2015.