Winnti Group
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]
ID: G0044
Associated Groups: Blackfly
Contributors: Edward Millington
Version: 1.0
Created: 31 May 2017
Last Modified: 04 May 2020
Associated Group Descriptions
| Name | Description |
|---|---|
| Blackfly | [5] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1057 | Process Discovery |
Winnti Group looked for a specific process running on infected servers.[1] |
|
| Enterprise | T1014 | Rootkit |
Winnti Group used a rootkit to modify typical server functionality.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Winnti Group used stolen certificates to sign its malware.[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0141 | Winnti for Windows | Create or Modify System Process: Windows Service, Masquerading: Match Legitimate Name or Location, Signed Binary Proxy Execution: Rundll32 |
References
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.