While monitoring the activities of the advanced persistent threat (APT) actor known as Winnti, researchers at Kaspersky Lab discovered a new platform that the group has been using to maintain persistence on infected systems and deliver backdoors.
The Winnti group, which has been around since at least 2009, was discovered by security researchers in 2012. The actor’s industrial cyberespionage operations have been aimed at software companies, particularly ones in the gaming sector.
The group is believed to be based in China and a majority of its victims are located in Southeast Asia, but the list of targets also includes gaming companies in Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus. Kaspersky noticed recently that Winnti has also targeted businesses in the pharmaceutical industry.
Researchers recently discovered an active threat that the Winnti group has been using as an attack platform for infecting the systems of organizations in South Korea and other countries. The threat, dubbed “HDRoot,” is based on a bootkit installer named “HDD Rootkit” that was developed in 2006.
The HDRoot bootkit attracted the attention of experts because it had been protected with VMProtect, a commercial application designed to protect software against reversing and cracking, and it had been signed with a compromised digital certificate issued to a Chinese company named Guangzhou YuanLuo Technology. This certificate had been previously used by Winnti to sign its tools.
HDRoot also caught the eye of experts because it was disguised to look like Microsoft’s Net.exe utility, most likely in an effort to avoid raising suspicion.
According to Kaspersky, HDRoot appears to be a platform designed to provide attackers sustainable and persistent access to the targeted system, and allow them to deliver backdoors.
The security firm identified two backdoors delivered by HDRoot, one of which was capable of bypassing antiviruses developed by AhnLab and ESTsoft. Since the targeted products are popular in South Korea, experts believe the backdoor was specifically created to target computers in this country. While South Korea appears to be one of Winnti’s main targets, Kaspersky has also spotted one infection in the United Kingdom and one in Russia, both at companies that had previously been attacked by the threat group.
In a blog post published on Tuesday, Dmitry Tarakanov, senior security researcher at Kaspersky Lab, pointed out that HDRoot’s level of sophistication is lower than one would expect from an APT actor such as Winnti. According to the expert, the platform’s developers have made some mistakes that could lead to the threat being discovered on infected devices.
“The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. That’s why we rarely see any complicated code encryption, because that would attract attention,” Tarakanov explained. “The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher.”
Since HDRoot is based on a tool released in 2006, experts believe that the developer of HDD Rootkit either joined Winnti when the group was formed in 2009, or Winnti simply leverages third-party software, possibly acquired on the underground market.
HDRoot is still active and its authors have been working on releasing new variants since Kaspersky’s products started detecting the threat.