Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer. The threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit”, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.
The Winnti criminal organization is known for industrial cyberespionage campaigns targeting software companies, especially those in the gaming industry. Recently it has also been observed targeting pharmaceutical businesses.
“HDRoot” was discovered when an intriguing sample of malware sparked the interest of Kaspersky Lab’s Global Research and Analysis Team (GReAT) for the following reasons:
- It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was known to have abused to sign other tools;
- The properties and output text of the executable were spoofed to make it look like a Microsoft’s Net Command net.exe, obviously to reduce the risk of system administrators exposing the program as hostile.
Taken together, this made the sample look suitably suspicious. Further analysis showed that the HDRoot bootkit is a universal platform for a sustainable and persistent appearance in a system. It can be used to launch any other tool. The GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s ALYac. Winnti therefore used it to launch malware products on target machines in South Korea.
According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in South East Asia; with other targets in this region including organizations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in one in Russia, both of which have previously been targeted by the Winnti group.
“The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. That’s why we rarely see any complicated code encryption, because that would attract attention. The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher.” – said Dmitry Tarakanov, Senior Security Researcher in Kaspersky Lab’s GReAT team.
The development of the HDD Rootkit is likely to be the work of someone who went on to join the Winnti group when it was set up. Kaspersky Lab believes that Winnti was forming into a group in 2009, so didn’t yet exist in 2006. But there is a possibility that Winnti made use of third-party software. Perhaps this utility and source code are available on the Chinese or other cybercriminal black market. The threat is still active. Since Kaspersky Lab started to add detections, the group behind the attacks has started to adapt them – in less than a month, a new modification was identified.
Kaspersky Lab’s products successfully block the malware and protect users against the threat.
Learn more about Chinese-language APT campaigns here.
To learn more about the Winnti Group’s attack platform, please read the blog post available at Securelist.com.