Winnti Linux Malware [ #winnti ]

Winnti Linux is an updated variant of the Winnti backdoor, created by the advanced persistent threat group of the same name. First observed in 2015, it is believed to be shared among a small group of trusted threat actors for use in their own disparate campaigns.

At the time of publication, Winnti Linux has only been observed being delivered through spear-phishing campaigns

Winnti Linux’s primary module, called libxselinux, is a lightly modified version of the open-source Azazel rootlet. Once installed, it will decrypt an embedded port configuration file before connecting to a command and control server using a variety of protocols (HTTP, ICMP, and custom TCP/UDP) and modifying commonly used functions to disguise its operations.

Analysis of the Linux variant revealed that it contains two files: the main backdoor Trojan (libxselinux) and a library (libxselinux.so) used to hide the malware.

By default Winnti Linux is able to exfiltrate folders and files, execute arbitrary code, escalate privileges, and perform lateral network movements. Some variants are able to create a SOCKS5 proxy on affected systems, although it is unclear if this is a core capability or added functionality.

Linux malware is quite rare among nation-state hacking groups, when writing malware they tend to focus on Windows operating systems.

YARA – Click here for source rule text and additional IoCs

Indicators of Compromise

Filenames

• libxselinux
• libxselinux.so

MD5 File Hashes

• 11a9f798227be8a53b06d7e8943f8d68
• 2a9f5d3fb47838937d282c552865863f
• b45f5a1548e213699a2802f8b99da08b

SHA256 File Hashes

• 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a
• ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23
• b80d57acd405d2ff58b1637b4e5dea412414297bfb4cde4b050413a77ffd6901
• da6ad48a2b680d6c3764f450380693d69cdc303025339c057b58c1edfd4dc548