Winnti is a family of malware used by multiple Chinese threat actors like APT41. Carbon Black’s Threat Analysis Unit (TAU) is providing this technical analysis, YARA rules, IOCs and product rules for the research community.
Behavioral Summary
Winnti malware is installed manually with stolen privileged credentials or by exploiting system vulnerabilities since it requires an AES key string to decrypt a DAT file.
CB Threat Hunter will show the natural progression of this malware execution.
Additionally CB Defense will display TTPs created by the malware.
If you are a Carbon Black customer looking to learn how to defend against this attack, click here.
MITRE ATT&CK TIDs
|
TID |
Tactic |
Description |
|
T1050 |
Persistence, Privilege Escalation |
Service Registry Permissions Weakness |
|
T1058 |
Persistence, Privilege Escalation |
New Service |
|
T1045 |
Defense Evasion |
Software Packing |
|
T1112 |
Defense Evasion |
Modify Registry |
|
T1057 |
Discovery |
Process Discovery |
|
T1071 |
Command And Control |
Standard Application Layer Protocol |
|
T1032 |
Command And Control |
Standard Cryptographic Protocol |
|
T1094 |
Command And Control |
Custom Command and Control Protocol |
|
T1024 |
Command And Control |
Custom Cryptographic Protocol |
|
T1095 |
Command And Control |
Standard Non-Application Layer Protocol |
|
T1085 |
Defense Evasion, Execution |
Rundll32 |
|
T1038 |
Persistence, Privilege Escalation, Defense Evasion |
DLL Search Order Hijacking |
|
T1088 |
Defense Evasion, Privilege Escalation |
Bypass User Account Control |
|
T1099 |
Defense Evasion |
Timestomp |
|
T1002 |
Exfiltration |
Data Compressed |
|
T1022 |
Exfiltration |
Data Encrypted |
YARA Rules
The rules are available publically here.
Indicators of Compromise (IOCs)
|
Indicator |
Type |
Context |
|
5ebf39d614c22e750bb8dbfa3bcb600756dd3b36929755db9b577d2b653cd2d1 794e127d627b3af9015396810a35af1c |
SHA256 MD5 |
Winnti 4.0 DAT loader x64, shared by Macnica Networks |
|
d16e01dbb894a40ff0c8b3f6b25a41d190db03c15c432ac50c3784a9880d376e 2b87dd7984c772fb7c7b262016f07665 |
SHA256 MD5 |
Winnti 4.0 dll x64, shared by Macnica Networks |
|
355d1ada949d28e535f707b82a31fce8687154bfc5ab76e9f83dd6a351d76b9f ce9baade675cae3d179cb703c87422fe |
SHA256 MD5 |
Winnti 4.0 hack tool |
|
ddda469518921837d51d106ff2e2b243ade8f8ef02845dee0d77d1c348547bd5 0a3edfa038ae8ba96cfe0928f2bc2f05 |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
fe2b6c42b3a354c42c7d9c5b04bcaae914ff03ba5792835cb1f35aa6eff2cdf7 aaf8f7895c5ffbb855254d322f114527 |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
b81bd877a2da4598f44cf1c06e79fee33f8f506060b2d67e869a35d5f45cc915 476a7a4c04f55d2ce8fe65d3728a0162 |
SHA256 MD5 |
Winnti 4.0 hack tool |
|
31befd3393750a5a3b48ab05e43d9affb47e648b40903ac014bcec68cc087cee 52449d12ae6e5af5ae22150c740e262c |
SHA256 MD5 |
Winnti 4.0 hack tool |
|
fb2478039c371f0fd8fbef217867ae77cdad7fb186e133723503cd70bb6f2a3e 8593f147507b700ef0722a390b264757 |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
a259a52d53e6d7c1bf864446a380966db82370009a8db4b08cfe09abae77d2df 9864437fc844d928a67e8c6ecff2edd6 |
SHA256 MD5 |
Winnti 4.0 hack tool |
|
0fdcbd59d6ad41dda9ae8bab8fad9d49b1357282027e333f6894c9a92d0333b3 da3b64ec6468a4ec56f977afb89661b1 |
SHA256 MD5 |
Winnti 4.0 DAT loader x86 |
|
4b0d86ba4f5e3b515f2a1c68e8798e40e080ecf7bccc502e0b27445b404f7886 dd34560ea3e6272663c4c78ad1e2c8b4 |
SHA256 MD5 |
Winnti 4.0 dll x86 |
|
b49f52c69badd3ebca9aee984805d93dcb24a6863d752d99d1e62d6bf7ab3f77 225e239909a48c291a178b0ef0ce3aa4 |
SHA256 MD5 |
Winnti 4.0 DAT loader x86 |
|
bf0d37fffa1de72ae4dec8228d5e3c8adafc59b969449ebf924818cd33f8b4a3 22a59a227bddcb158403a023fe2630ef |
SHA256 MD5 |
Winnti 4.0 DAT loader x86 |
|
64a08eb97c7e0d8c34dfbe368892c07b78a4a3f1f271824854f5ea99097fcf2f df67017e9c102b23b9da2db008aff7a1 |
SHA256 MD5 |
Winnti 4.0 dat file |
|
ae9a4d32abc7830393c5800c07bcfa4a7d1e5701370d9440377a5911c9fb3fb9 7c76f5f65f17329bf1468e6b06631bd7 |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
4340186d5609a903d6148c39b4944a2c18b85729035133f4a3b7b7a0eb1ed1ee 195dd09a56e288d13c0c46ff117a5332 |
SHA256 MD5 |
Winnti 4.0 DAT loader x86 |
|
d5d24f9bd269b0564f57bec005dbc51688c9a5d2f4eb8f2e8b61b720424ce6bf 79939742f6efd865c112f764ebdaf7c5 |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
fc325e6655134fbb8ffac743db626938e45a99103035e16618ab967958d32421 9366e52e76435dc91dd03af8c234ea0b |
SHA256 MD5 |
Winnti 4.0 DAT loader x64 |
|
13aed842a6b43e61fd8e076cdfa9d96ec9ad917e073740bbd99ccb395eb3c9fe 048b0012d4a389b5489e0e4ee4a5b615 |
SHA256 MD5 |
Winnti 4.0 DAT loader x86 |
The post CB TAU Threat Intelligence Notification: Winnti Malware 4.0 appeared first on Carbon Black.
Article Link: https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/