1. Home
  2. Groups
  3. Winnti Group

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.[1][2][3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.[4]

ID: G0044
Associated Groups: Blackfly
Contributors: Edward Millington
Version: 1.2
Created: 31 May 2017
Last Modified: 20 March 2023

Associated Group Descriptions

Name Description
Blackfly

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Winnti Group used a rootkit to modify typical server functionality.[1]
Enterprise T1083 文件和目录发现

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.[1]
Enterprise T1583 .001 获取基础设施: Domains

Winnti Group has registered domains for C2 that mimicked sites of their intended targets.[1]
Enterprise T1105 输入工具传输

Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.[1]
Enterprise T1057 进程发现

Winnti Group looked for a specific process running on infected servers.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Winnti Group used stolen certificates to sign its malware.[1]

Software

ID Name References Techniques
S0501 PipeMon [6] 伪装: Match Legitimate Name or Location, 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Print Processors, 回退信道, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统时间发现, 系统网络配置发现, 访问令牌操控: Create Process with Token, 访问令牌操控: Parent PID Spoofing, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 非应用层协议, 颠覆信任控制: Code Signing
S0013 PlugX [1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0141 Winnti for Windows [1][2] 代理: External Proxy, 代理: Internal Proxy, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 执行保护: Environmental Keying, 文件和目录发现, 本机API, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 进程发现, 非应用层协议

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
  2. DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  3. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.