Skip to content

S0141 Winnti for Windows

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.4153. The Linux variant is tracked separately under Winnti for Linux.2

Item Value
ID S0141
Associated Names
Version 3.0
Created 31 May 2017
Last Modified 20 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Winnti for Windows can use a variant of the sysprep UAC bypass.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Winnti for Windows can add a service named wind0ws to the Registry to achieve persistence after reboot.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.1
enterprise T1140 Deobfuscate/Decode Files or Information The Winnti for Windows dropper can decrypt and decompresses a data blob.5
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Winnti for Windows can XOR encrypt C2 traffic.5
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.5
enterprise T1083 File and Directory Discovery Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.5
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Winnti for Windows can delete the DLLs for its various components from a compromised host.5
enterprise T1070.006 Timestomp Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.5
enterprise T1105 Ingress Tool Transfer The Winnti for Windows dropper can place malicious payloads on targeted systems.5
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.1
enterprise T1106 Native API Winnti for Windows can use Native API to create a new process and to start services.5
enterprise T1095 Non-Application Layer Protocol Winnti for Windows can communicate using custom TCP.5
enterprise T1027 Obfuscated Files or Information Winnti for Windows has the ability to encrypt and compress its payload.5
enterprise T1057 Process Discovery Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.5
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy The Winnti for Windows HTTP/S C2 mode can make use of a local proxy.5
enterprise T1090.002 External Proxy The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.5
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 The Winnti for Windows installer loads a DLL using rundll32.15
enterprise T1082 System Information Discovery Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.5
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Winnti for Windows can run as a service using svchost.exe.5

Groups That Use This Software

ID Name References
G0044 Winnti Group 46