S0430 Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.1
| Item | Value |
|---|---|
| ID | S0430 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 April 2020 |
| Last Modified | 01 July 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Winnti for Linux has used HTTP in outbound communications.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).1 |
| enterprise | T1105 | Ingress Tool Transfer | Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. 1 |
| enterprise | T1095 | Non-Application Layer Protocol | Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | Winnti for Linux can encode its configuration file with single-byte XOR encoding.1 |
| enterprise | T1014 | Rootkit | Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware’s operations and network activity.1 |
| enterprise | T1205 | Traffic Signaling | Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1006 | Earth Lusca | 2 |
| G0096 | APT41 | 3 |
References
-
Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. ↩↩↩↩↩↩↩↩↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩