Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Winnti Group mainly targets South Korea organisations, amongst other Asian companies

Zafirah Salim | Oct. 14, 2015
The Group infects organisations with “HDRoot”, a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.

Kaspersky Lab experts monitoring the Winnti group - notorious for industrial cyberespionage campaigns targeting software companies - recently announced the discovery of an active threat based on a 2006 bootkit installer.

Called "HDRoot" (originally named "HDDRootkit"), it is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.

Kaspersky Lab's Global Research and Analysis Team (GReAT) first came across the sample malware and noted that it was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was  known to have abused to sign other tools.

Additionally, the properties and output text of the executable were spoofed to make it look like a Microsoft's Net Command net.exe, obviously to reduce the risk of system administrators exposing the programme as hostile.

Further analysis revealed that the HDRoot can be used to launch any other tool. The GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab's V3 Lite, AhnLab's V3 365 Clinic and ESTsoft's ALYac. Winnti therefore used it to launch malware products on target machines in South Korea.

According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in Asia; with other targets in this region including organisations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in Russia, both of which have previously been targeted by the Winnti group.

"The most important goal for any APT-actor is to stay under the radar, to remain in the shadows. That's why we rarely see any complicated code encryption, because that would attract attention," Dmitry Tarakanov, Senior Security Researcher in Kaspersky Lab's GReAT. "The Winnti group took a risk, because it probably knows from experience which signs should be covered up and which ones can be overlooked, because organisations don't always apply all the best security policies all of the time. System administrators have to keep on top of many things; and if the team is small, the chance that cybercriminal activity will remain undetected is even higher." 

 

Sign up for CIO Asia eNewsletters.