Google’s Chronicle Security team discovered a Linux version of the Winnti malware was used in the 2015 hack of a Vietnamese gaming company.
The malware has proved to be a popular tool used by Beijing hackers over the last decade and has been used against various targets for varied motivations, including a German pharmaceutical company in April 2019.
Researchers identified a small cluster of Winnti samples designed specifically for Linux that work as a backdoor on infected hosts allowing threat actors unauthorized access to infected systems, according to a May 15 blog post.
The malware is composed of two files, a main backdoor and a library which is used to hide the malware’s activity, and the malware’s core component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers.
The library was found to be a copy of the open-source userland rootkit Azazel with minor changes that when executed, will register symbols for multiple commonly used functions. Threat actors made more distinct changes to Azazel with the addition of a function named ‘Decrypt2,’ which is used to decode an embedded configuration similar to the core implant.
“Unlike standard Azazel which is configured to hide network activity based on port ranges, the Winnti-modified version keeps a list of process identifiers and network connections associated with the malware’s activity,” researchers said in the report. “This modification likely serves to simplify the operator’s sample configuration process by not having to denote specific ports to hide.”
Researchers weren’t able to recover any active plugins but believe the operators commonly deploy plugins for remote command execution, file extraction and socks5 proxying.
Casey Ellis, CTO and founder of Bugcrowd told SC Media that while Linux isn't the most commonly discussed platform for malware, attackers have been implanting and exploiting Linux systems for decades and tend to take what works for them and standardize it.
“The news of this Linux variant of Winnti is no surprise to me, attackers will use whatever attack method they prefer and apply it to every operating system,” Ellis said. “The porting of Winnti to Linux indicates the fondness of the Winnti malware platform as this attacker’s exploitation tool of choice.”