Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Winnti Group Uses GitHub for C&C Communications

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

Winnti, mainly known for financially-motivated espionage campaigns aimed at the online gaming industry, has been around since at least 2007. A majority of the threat actor’s victims are located in Southeast Asia.

Trend Micro has been monitoring the group and discovered that its malware connected to a GitHub account in order to obtain the exact location of C&C servers.

Winnti has continued to use PlugX, a RAT that is often leveraged by Chinese threat actors, but experts also discovered what appears to be a new backdoor (BKDR64_WINNTI.ONM).

The malware checks an HTML page stored in a GitHub project. The file contains an encrypted string that hides the IP address and port number for the C&C server. The information was encrypted via an algorithm known to be used by PlugX and other algorithms derived from it.

According to Trend Micro, the GitHub project used by Winnti was created in May 2016 and it was first used for C&C communications in August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

Between August 17 and March 12, Trend Micro noticed nearly two dozen C&C server IP and port combinations. Researchers said a majority of the servers were located in the United States, and two in Japan.

One user pointed out on Reddit that the C&C servers appear to be hosted by Krypt Technologies, whose services have often been abused for botnets and other threats.

Advertisement. Scroll to continue reading.

As for the new Winnti backdoor, the malware uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv). The loader imports and decrypts the main payload and loads it into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” explained Trend Micro threat researcher Cedric Pernet. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”

Related: Winnti Spies Use Bootkit for Persistence, Distributing Backdoors

Related: “Wekby” Group Uses DNS Requests for C&C Communications

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.