Linux variant of Winnti malware discovered by Chronicle cybersecurity experts

Researchers found this variant while investigating the cyber attack carried out on pharma giant Bayer last month

Security experts from Chronicle, part of Google owner Alphabet's portfolio of companies, claim to have unearthed a Linux version of the Winnti malware.

According to the Chronicle team, the Linux variant's code bears a close resemblance to Winnti 2.0 Windows version, a hacking tool associated with Chinese cyber criminals for the past decade, and used in attacks on systems worldwide.

It was believed to be behind a supply chain attack on a South Korean software company in 2017.

Security experts believe that a number of APT [advanced persistent threat] groups current operate under the Winnti umbrella. These include groups labelled Winnti, APT17, Gref, BARIUM, PlayfullDragon, Wicked Panda, DeputyDog, LEAD, Axiom, ShadowPad and PassCV.

These groups have been observed to use similar strategies and techniques and, in some cases, they even shared parts of the same hacking infrastructure.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

According to the researchers, the Linux variant of Winnti is designed to work as a backdoor on infected hosts and enables hackers to gain access to the compromised system.

They found the variant while investigating a cyber attack carried out last month on pharmaceutical giant Bayer.

The experts were trying to look for Winnti malware samples on VirusTotal platform when they spotted the Linux variant, which dated back to 2015.

In 2015, attackers had used the malware to attack a gaming company in Vietnam.

As with other versions of Winnti, the core component of the malware doesn't natively provide the operators with distinct functionality

Analysis of the Linux variant revealed that it contains two files: the main backdoor Trojan (libxselinux) and a library (libxselinux.so) used to hide the malware.

"As with other versions of Winnti, the core component of the malware doesn't natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers," the researchers wrote in a blog.

"During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux," they added.

Further analysis of malware revealed many code similarities between the Winnti 2.0 Windows version and the Linux variant.

According to researchers, both variants can communicate with their control and command servers using a variety of protocols, including HTTP, ICMP, and custom TCP/UDP protocols.

Another feature similar to both versions is that they enable their controllers to open a connection to infected hosts without requiring command and control servers. Experts believe this feature enables hackers to directly access infected hosts when access to a C&C server is interrupted.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.