Skip to content

S0176 Wingbird

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. 1 2

Item Value
ID S0176
Associated Names
Type MALWARE
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.008 LSASS Driver Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.13
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.13
enterprise T1068 Exploitation for Privilege Escalation Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.13
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Wingbird deletes its payload along with the payload’s parent process after it finishes copying files.1
enterprise T1055 Process Injection Wingbird performs multiple process injections to hijack system processes and execute malicious code.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Wingbird checks for the presence of Bitdefender security software.1
enterprise T1082 System Information Discovery Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.13

Groups That Use This Software

ID Name References
G0055 NEODYMIUM 21

References