Linux version of Winnti malware discovered following Bayer cyberattack

Security researchers discovered a Linux version of a famous Beijing-based malware Winnti

Cybersecurity researchers discovered a Linux version of the Winnti malware

Security experts at Chronicle released a blog post^[1] that described the new version of the infamous Winnti malware. The analysis is based on a Linux variant of malware that was used in a cyber attack against Vietnamese gaming company back in 2015.^[2]

Winnti is not a new threat, and first emerged back in 2013 when Kaspersky Lab described a threat in its security blog article and described it as “More than just a game.”^[3] Initially, the malware which originated in China targeted gaming companies, so researchers quickly noticed that multiple video game players are affected by the same computer infection.

Later on, the trojan was noticed attacking multiple targets around the world for various reasons, although Kaspersky experts claim that the threat actors were interested in the source code of gaming projects, network infrastructure, design, and other factors. While the name Winnti was originally assigned to a specific hacker group, researchers now believe that the malware is being sold or shared between a variety of different bodies.^[1]

Chronicle researchers followed one of the cases that involved a German pharmaceutical giant Bayer,^[4] which occurred in April this year. During the investigation, the team managed to find a Linux version of Winnti:

While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti samples designed specifically for Linux. The following is a technical analysis of this variant.

Technical details of Linux-based Winnti variant

Linux version of Winnti is consists of two parts and was designed to work as a backdoor (libxselinux) and a rootkit – library (libxselinux.so). The latter is responsible for concealing the payload and preventing security tools from detecting it, while the backdoor trojan component is designed to handle communications and perform any additional commands from Command & Control server used by hackers.

Chronicle researchers claim that they were unable to extract any modules from Linux version of Winnti, although they do believe that components frequently deployed by hackers include such functionality as remote code execution, socks5 proxying, as well as file exfiltration features on the host machine.

The library component's code was copied from an open-source rootkit Azazel. One major difference, however, lies within a new function added by Winnti hackers called “Decrypt2,” which is responsible for decoding embedded configuration:^[1]

Unlike standard Azazel which is configured to hide network activity based on port ranges, the Winnti-modified version keeps a list of process identifiers and network connections associated with the malware’s activity. This modification likely serves to simplify the operator’s sample configuration process by not having to denote specific ports to hide.

Similarities to Windows variants

Winnti uses a variety of protocols to communicate with its servers: HTTP, ICMP, TCP, and UDP. According to the analysis by Chronicle experts, these communications were widely described in previous reports by Kaspersky and Novetta,^[5] although not much attention was paid to feature in malware's code that allows hackers to communicate with the host without the usage of Command & Control server. This functionality was noticed in the most recent variants of the trojan – in both Linux and Windows variants:^[1]

This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts.

While Linux malware is rare, Winnti proved that hackers are willing to put extra effort to expand their operations onto different platforms.