Wingbird

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. [1] [2]

ID: S0176
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .008 Boot or Logon Autostart Execution: LSASS Driver

Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.[1][3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3]

Enterprise T1068 Exploitation for Privilege Escalation

Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[1][3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[1]

Enterprise T1055 Process Injection

Wingbird performs multiple process injections to hijack system processes and execute malicious code.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Wingbird checks for the presence of Bitdefender security software.[1]

Enterprise T1082 System Information Discovery

Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[1]

Enterprise T1569 .002 System Services: Service Execution

Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3]

Groups That Use This Software

ID Name References
G0055 NEODYMIUM

[2][1]

References