Navigation

Subscribe

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!

An Update on Winnti (LEAD/APT17)

Update: To better document and share the details of this post with the community, we're going to change form referring to this group as "Winnti" to the more appropriate "LEAD" title. Winnti originated in 2009 as a single group but more current intelligence indicates that the original group can now be separated into LEAD (APT17) and BARIUM. The original "Winnti" name comes from the malware codebase prior to the potential split of the group.


In our recent post “Winnti Evolution - Going Open Source,” Nate Marx and I shared new details on the Winnti APT group and their continued targeting of online gaming organizations. The purpose of this follow-up post is to share some new information about the group and their continued activities.

The group continues to primarily use publicly available pentesting tools outside of the US. In the multiple incidents we have been involved in, the group has relied heavily on BeEF and Cobalt Strike. Cobalt Strike has been their primary toolset for command and control within the victim networks, while BeEF has been used to assist in the initial infection process.

On the network traffic analysis end, post compromise activity results in some interesting but not unexpected activity. First, Winnti uses Cobalt Strike to collect credentials and move laterally. The stolen credentials may be used for remote access into the victim network if applicable. The group also continues to focus on theft of code signing certificates and internal documentation, including company files and internal communication history (chats/emails).

In multiple incidents, we found the attackers were using the webbug_getonly malleable C2 profile, which masks itself as a Google Web Bug and performs both directions of communication using only HTTP GETs. The profile encrypts then encodes victim metadata after the utmcc parameter, with __utma inserted at the front. When not sending a command or file, the server responds with a small GIF (See Figure 1).

Figure 1: Cobalt Strike beacon example
Figure 1: Cobalt Strike beacon example

When the server has commands or data to send the infected client, it responds with more data appended to the same small GIF it normally uses (see Figure 2). We also observed updated Cobalt Strike binaries being sent this way, typically in the clear.

Figure 2: Example C2 response containing new Cobalt Strike binary.
Figure 2: Example C2 response containing new Cobalt Strike binary.

We’ll continue to monitor the Winnti group and share any new details when possible.

Indicators/Detection

Indicator Type
371acda8d719426b6a8867767260b9ce MD5 Hash
e798cfe49e6afb61f58d79a53f06d785 MD5 Hash
8cf9db604b45bbf48f5d334dedf65e5b MD5 Hash
19d12c8c98c1f21810efb43edc816c83 MD5 Hash
5e769c5f1a0679e997ee59f4f93840a5 MD5 Hash
d5d223f0112574d8a0e9e56bc94353ba MD5 Hash
8cd778cd9b5e7201383f83e5927db6bf MD5 Hash
42693ebe598ef575834d4f82adbd6593 MD5 Hash
immigrantlol[.]com Domain
awsstatics[.]com Domain
google-searching[.]com Domain
alienlol[.]com Domain
dnslog[.]mobi Domain
exoticlol[.]com Domain
martianlol[.]com Domain
awsstatics[.]com Domain
microsoftsec[.]com Domain
outerlol[.]com Domain
sqlmapff[.]com Domain
ssrsec[.]com Domain
strangelol[.]com Domain

  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (strangelol .com)"; flow:established,to_server; content:"strangelol.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600045; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (strangelol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|strangelol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600044; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (ssrsec .com)"; flow:established,to_server; content:"ssrsec.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600043; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (ssrsec .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ssrsec|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600042; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (sqlmapff .com)"; flow:established,to_server; content:"sqlmapff.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600041; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (sqlmapff .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|sqlmapff|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600040; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (outerlol .com)"; flow:established,to_server; content:"outerlol.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600039; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (outerlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|outerlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600038; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (microsoftsec .com)"; flow:established,to_server; content:"microsoftsec.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600037; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (microsoftsec .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|microsoftsec|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600036; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (martianlol .com)"; flow:established,to_server; content:"martianlol.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600035; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (martianlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|martianlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600034; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (dnslog .mobi)"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600033; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (dnslog .mobi)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dnslog|04|mobi|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600032; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (alienlol .com)"; flow:established,to_server; content:"alienlol.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600031; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (alienlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|alienlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600030; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (securitytactics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600029; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (yoyakuweb .technology)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|yoyakuweb|0a|technology|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600028; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (exoticlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|exoticlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600027; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (google-statics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|google-statics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600026; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (google-searching .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|google-searching|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600025; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (awsstatics .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|awsstatics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600024; rev:3;)
  • alert udp $HOME_NET any -> any 53 (msg:"401TRG Possible Winnti-related DNS Lookup (immigrantlol .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|immigrantlol|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600023; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (google-searching .com)"; flow:established,to_server; content:"google-searching.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600022; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (awsstatics .com)"; flow:established,to_server; content:"awsstatics.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600021; rev:3;)
  • alert tcp $HOME_NET any -> any 80 (msg:"401TRG Possible Winnti-related Destination (immigrantlol .com)"; flow:established,to_server; content:"immigrantlol.com"; http_header; fast_pattern; reference:url,https://401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:600020; rev:3;)

If you would like to automate the intake of these indicators, please see our GitHub Detections repo.

References