Wingbird

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. [1] [2]

ID: S0176
Aliases: Wingbird
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Wingbird[1] [2] [3]

Techniques Used

DomainIDNameUse
EnterpriseT1073DLL Side-LoadingWingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[1][3]
EnterpriseT1068Exploitation for Privilege EscalationWingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[1]
EnterpriseT1107File DeletionWingbird deletes its payload along with the payload's parent process after it finishes copying files.[1]
EnterpriseT1177LSASS DriverWingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.[1][3]
EnterpriseT1050New ServiceWingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3]
EnterpriseT1055Process InjectionWingbird performs multiple process injections to hijack system processes and execute malicious code.[1]
EnterpriseT1063Security Software DiscoveryWingbird checks for the presence of Bitdefender security software.[1]
EnterpriseT1035Service ExecutionWingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3]
EnterpriseT1082System Information DiscoveryWingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[1]

Groups

Groups that use this software:

NEODYMIUM

References