Pierluigi Paganini March 26, 2017

Trend Micro discovered the Chinese threat actor Winnti has been abusing GitHub service for command and control (C&C) communications.

Security experts at Trend Micro continue to monitor the activities of the Chinese Winnti hacker group, this time the hackers have been abusing GitHub for command and control (C&C) communications.

“Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).” reads the analysis published by Trend Micro.

“Our research also showed that the group still uses some of the infamous PlugX malware variants—a staple in Winnti’s arsenal—to handle targeted attack operations via the GitHub account we identified.”

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

Malware researchers at Trend Micro discovered that that malware connected to a certain GitHub account in order to get the indication of the C&C servers.

The group continues using the PlugX RAT for its attacks along with an alleged new backdoor tracked as BKDR64_WINNTI.ONM.

The malicious code checks an HTML page stored in a GitHub project that contains an encrypted string, this string includes the IP address and port number for the Command and Control server.

The GitHub project used by the Winnti gang was created in May 2016 and its first usage for C&C communications is dated back August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

The experts observed nearly two dozen C&C server IP and port combinations in the period between August 17 and March 12. The C&C servers were located in the United States, and two of them in Japan.

The recently discovered Winnti backdoor uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv).

The loader imports and decrypts the main payload and then injects it into the svchost.exe. The payload is then loaded into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” concludes Trend Micro. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”

Pierluigi Paganini

(Security Affairs – Winnti gang, cyber espionage)

[adrotate banner=”13″]

[adrotate banner=”5″]