Winnti for Linux

Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]

ID: S0430
Platforms: Linux
Version: 1.0
Created: 29 April 2020
Last Modified: 01 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Winnti for Linux has used HTTP in outbound communications.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[1]

Enterprise T1105 Ingress Tool Transfer

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [1]

Enterprise T1095 Non-Application Layer Protocol

Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.[1]

Enterprise T1027 Obfuscated Files or Information

Winnti for Linux can encode its configuration file with single-byte XOR encoding.[1]

Enterprise T1014 Rootkit

Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named, to hide the malware's operations and network activity.[1]

Enterprise T1205 Traffic Signaling

Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[1]

Groups That Use This Software

ID Name References
G1006 Earth Lusca


G0096 APT41