Software: Winnti

From enterprise
Jump to: navigation, search
Winnti
Software
ID S0141
Aliases Winnti
Type Malware

Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.123

Techniques Used

  • Masquerading - A Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.2
  • Rundll32 - The Winnti installer loads a DLL using rundll32.2
  • New Service - Winnti sets its DLL file as a new service in the Registry to establish persistence.2

Groups

The following groups use this software: