Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Winnti for Linux has used HTTP in outbound communications.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[1] |
Enterprise | T1105 | Ingress Tool Transfer |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [1] |
|
Enterprise | T1095 | Non-Application Layer Protocol |
Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.[1] |
|
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[1] |
Enterprise | T1014 | Rootkit |
Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.[1] |
|
Enterprise | T1205 | Traffic Signaling |
Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[1] |
ID | Name | References |
---|---|---|
G1006 | Earth Lusca | |
G0096 | APT41 | |
G0143 | Aquatic Panda |
Aquatic Panda used Winnti for Linux for access to victim Linux hosts during intrusions[4]. |