Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Winnti for Linux has used HTTP in outbound communications.[1] |
| Enterprise | T1205 | 流量激活 |
Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[1] |
| Enterprise | T1105 | 输入工具传输 |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [1] |
|
| Enterprise | T1095 | 非应用层协议 |
Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1006 | Earth Lusca | |
| G0096 | APT41 | |
| G0143 | Aquatic Panda |
Aquatic Panda used Winnti for Linux for access to victim Linux hosts during intrusions[4]. |