Skip to content

S0430 Winnti for Linux

Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.1

Item Value
ID S0430
Associated Names
Version 1.0
Created 29 April 2020
Last Modified 01 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Winnti for Linux has used HTTP in outbound communications.1
enterprise T1140 Deobfuscate/Decode Files or Information Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).1
enterprise T1105 Ingress Tool Transfer Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. 1
enterprise T1095 Non-Application Layer Protocol Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.1
enterprise T1027 Obfuscated Files or Information Winnti for Linux can encode its configuration file with single-byte XOR encoding.1
enterprise T1014 Rootkit Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named, to hide the malware’s operations and network activity.1
enterprise T1205 Traffic Signaling Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.1

Groups That Use This Software

ID Name References
G1006 Earth Lusca 2
G0096 APT41 3