Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Winnti for Linux has used HTTP in outbound communications.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[1] |
|
| Enterprise | T1014 | Rootkit |
Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.[1] |
|
| Enterprise | T1205 | Traffic Signaling |
Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 |