Software: Wingbird

From enterprise
Jump to: navigation, search
Wingbird
Software
ID S0176
Aliases Wingbird
Type Malware
Platform Windows

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign.12

Alias Descriptions

Techniques Used

  • LSASS Driver - Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.13
  • New Service - Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.13
  • Service Execution - Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.13
  • DLL Side-Loading - Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.13
  • System Information Discovery - Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.1
  • File Deletion - Wingbird deletes its payload along with the payload's parent process after it finishes copying files.1
  • Process Injection - Wingbird performs multiple process injections to hijack system processes and execute malicious code.1

Groups

The following groups use this software: