Register to stream ATT&CKcon 2.0 October 29-30
GROUPS
Overview admin@338 APT1 APT12 APT16 APT17 APT18 APT19 APT28 APT29 APT3 APT30 APT32 APT33 APT37 APT38 APT39 Axiom BlackOasis BRONZE BUTLER Carbanak Charming Kitten Cleaver Cobalt Group CopyKittens Dark Caracal Darkhotel DarkHydrus Deep Panda Dragonfly Dragonfly 2.0 DragonOK Dust Storm Elderwood Equation FIN10 FIN4 FIN5 FIN6 FIN7 FIN8 Gallmaker Gamaredon Group GCMAN Gorgon Group Group5 Honeybee Ke3chang Lazarus Group Leafminer Leviathan Lotus Blossom Magic Hound menuPass Moafee Molerats MuddyWater Naikon NEODYMIUM Night Dragon OilRig Orangeworm Patchwork PittyTiger PLATINUM Poseidon Group PROMETHIUM Putter Panda Rancor RTM Sandworm Team Scarlet Mimic Silence SilverTerrier Soft Cell Sowbug Stealth Falcon Stolen Pencil Strider Suckfly TA459 TA505 Taidoor TEMP.Veles The White Company Threat Group-1314 Threat Group-3390 Thrip Tropic Trooper Turla Winnti Group WIRTE
  1. Home
  2. Groups
  3. Winnti Group

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. [1] [2] [3] Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group. [4]

ID: G0044
Associated Groups: Blackfly
Contributors: Edward Millington
Version: 1.0

Associated Group Descriptions

Name Description
Blackfly [5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing Winnti Group used stolen certificates to sign its malware. [1]
Enterprise T1057 Process Discovery Winnti Group looked for a specific process running on infected servers. [1]
Enterprise T1014 Rootkit Winnti Group used a rootkit to modify typical server functionality. [1]

Software

ID Name References Techniques
S0141 Winnti [1] [2] Masquerading, New Service, Rundll32

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.
  2. DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.