Experts discovered the attack platform used by the Winnti Group

Experts at Kaspersky have discovered that Winnti Group has enhanced its attack platform infecting organizations in South Korea, UK and Russia.

In 2013, security experts at Kaspersky Lab uncovered a cyber espionage that targeted the gaming industry with a malware signed with a valid digital certificate. The threat actor behind the campaign was dubbed the Winnti group, it was targeting the gaming industry to steal game community currency and source code.

The experts at Kaspersky Lab discovered that the Winnti group has been active since 2009 targeting more than 30 gaming companies and hitting various popular online games.

According to the researchers the Winnti group is based in China and most victims are located in Southeast Asia, Germany, United States, Japan, China, Russia, Brazil, Peru, and Belarus. In June 2015, the security experts at Kaspersky collected evidence that the Winniti APT is moving beyond the gaming industry targeting telecoms and companies in the pharmaceutical industry.

Further analysis allowed the experts to discover that the Winnti group has been using as an attack platform for infecting the systems of organizations in South Korea and other countries worldwide. The hacking tool in the arsenal of the APT is the “HDRoot,” a malicious code based on a bootkit installer named “HDD Rootkit” that was developed in 2006. It is likely that the author of the HDD Rootkit joined Winnti when the group was formed in 2009, or the APT simply acquired it on the underground market.

The HDRoot is used by hackers to deliver backdoors in the targeted system and obtain persistence.

The researchers discovered that the HDRoot bootkit had been protected with VMProtect, a commercial software used to protect source code from reversing and cracking. Also in this case attackers digitally signed the code of the HDRoot bootkit with a compromised digital certificate, already used in the past by Winnti hackers, issued to a Chinese company named Guangzhou YuanLuo Technology.

“It was protected by a commercial VMProtect Win64 executable signed with a known compromised certificate from Chinese entity Guangzhou YuanLuo Technology. Moreover, the properties of the executable read as if it were Microsoft’s Net Command net.exe, and even running the sample also resulted in output typical of the original net.exe utility:” states the blog post published by SecureList.

The experts identified two sample of backdoors delivered by HDRoot, one of them targeted products that are popular in South Korea, but Kaspersky has also spotted one infection in the United Kingdom and one in Russia.

The level of sophistication of the HDRoot is low, the developer that designed it have made some mistakes that could make advantage the detection of the threat on an infected machine.

“The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher.” said Dmitry Tarakanov, Senior Security Researcher in Kaspersky Lab’s GReAT team.

Stay Tuned!

Pierluigi Paganini

(Security Affairs – Winnti APT, hacking)