GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Groups
  3. Winnti Group

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]

ID: G0044
Associated Groups: Blackfly
Contributors: Edward Millington
Version: 1.1
Created: 31 May 2017
Last Modified: 24 August 2020
Version Permalink

Associated Group Descriptions

Name Description
Blackfly

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1057 Process Discovery

Winnti Group looked for a specific process running on infected servers.[1]
Enterprise T1014 Rootkit

Winnti Group used a rootkit to modify typical server functionality.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Winnti Group used stolen certificates to sign its malware.[1]

Software

ID Name References Techniques
S0501 PipeMon [6] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Create Process with Token, Boot or Logon Autostart Execution: Print Processors, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Fallback Channels, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Shared Modules, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Time Discovery
S0141 Winnti for Windows [1][2] Create or Modify System Process: Windows Service, Masquerading: Match Legitimate Name or Location, Signed Binary Proxy Execution: Rundll32

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
  2. DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
  3. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.