Kaspersky: Winnti Group responsible for enhanced attack platform infecting organizations in South Korea, UK and Russia

Oct 8, 2015:

Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer. The threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit”, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.

The Winnti criminal organization is known for industrial cyberespionage campaigns targeting software companies, especially those in the gaming industry. Recently it has also been observed targeting pharmaceutical businesses.

“HDRoot” was discovered when an intriguing sample of malware sparked the interest of Kaspersky Lab’s Global Research and Analysis Team (GReAT) for the following reasons:
  • It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was known to have abused to sign other tools;
  • The properties and output text of the executable were spoofed to make it look like a Microsoft’s Net Command net.exe, obviously to reduce the risk of system administrators exposing the program as hostile.

Taken together, this made the sample look suitably suspicious. Further analysis showed that the HDRoot bootkit is a universal platform for a sustainable and persistent appearance in a system. It can be used to launch any other tool. The GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s ALYac. Winnti therefore used it to launch malware products on target machines in South Korea.

Countries where gaming companies have been affected Infographic

According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in South East Asia; with other targets in this region including organizations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in one in Russia, both of which have previously been targeted by the Winnti group.