1. Home
  2. Software
  3. Winnti for Windows

Winnti for Windows

Winnti for Windows is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. [1] [2] [3] The Linux variant is tracked separately under Winnti for Linux.[4]

ID: S0141
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 31 May 2017
Last Modified: 04 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[2]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

The Winnti for Windows installer loads a DLL using rundll32.[2]

Groups That Use This Software

ID Name References
G0044 Winnti Group

[1][5]

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.