Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Winnti Group Uses GitHub for C&C Communications

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

The China-linked threat group known as Winnti has been abusing GitHub for command and control (C&C) communications, Trend Micro reported on Wednesday.

Winnti, mainly known for financially-motivated espionage campaigns aimed at the online gaming industry, has been around since at least 2007. A majority of the threat actor’s victims are located in Southeast Asia.

Trend Micro has been monitoring the group and discovered that its malware connected to a GitHub account in order to obtain the exact location of C&C servers.

Winnti has continued to use PlugX, a RAT that is often leveraged by Chinese threat actors, but experts also discovered what appears to be a new backdoor (BKDR64_WINNTI.ONM).

The malware checks an HTML page stored in a GitHub project. The file contains an encrypted string that hides the IP address and port number for the C&C server. The information was encrypted via an algorithm known to be used by PlugX and other algorithms derived from it.

According to Trend Micro, the GitHub project used by Winnti was created in May 2016 and it was first used for C&C communications in August 2016. Experts believe the GitHub account was likely created by the attackers themselves and not hijacked from its original owner.

Between August 17 and March 12, Trend Micro noticed nearly two dozen C&C server IP and port combinations. Researchers said a majority of the servers were located in the United States, and two in Japan.

One user pointed out on Reddit that the C&C servers appear to be hosted by Krypt Technologies, whose services have often been abused for botnets and other threats.

Advertisement. Scroll to continue reading.

As for the new Winnti backdoor, the malware uses a loader that leverages a modified version of a Microsoft registry tool (loadperf.dll) and the WMI performance adapter service in Windows (wmiAPSrv). The loader imports and decrypts the main payload and loads it into memory.

“Abusing popular platforms like GitHub enables threat actors like Winnti to maintain network persistence between compromised computers and their servers, while staying under the radar,” explained Trend Micro threat researcher Cedric Pernet. “Although Winnti may still be employing traditional malware, its use of a relatively unique tactic to stay ahead of the threat landscape’s curve reflects the increased sophistication that threat actors are projected to employ.”

Related: Winnti Spies Use Bootkit for Persistence, Distributing Backdoors

Related: “Wekby” Group Uses DNS Requests for C&C Communications

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.