HDRoot: Winnti APT group’s new (or not?) toy

In the fierce storm of active APT campaigns there is always something in motion. Researchers pin down and catalogue new threats all the time, but old names occasionally pop up,

In the fierce storm of active APT campaigns there is always something in motion. Researchers pin down and catalogue new threats all the time, but old names occasionally pop up, too. Winnti, a notorious APT group most likely originating from China, has yielded a rather mysterious malware sample. Kaspersky Lab experts have examined it, and this sample has proven to be “a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool”. Here comes HDRoot.

A universal platform

Securelist has publish the first part of research dedicated to this threat. It is very technical in nature, so let’s dive into a couple of the details:

HDRoot – an advanced bootkit – is trying to make users and admins think it is Microsoft’s Net Command net.exe file. At the same time, the intercepted sample was protected with a commercial VMProtect Win64 executable, signed with a known, compromised certificate belonging to the Chinese entity Guangzhou YuanLuo Technology. Winnti group was known to have abused this certificate to sign other tools, so the attribution of the malware is (mostly) out of question.

GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more.

One of these backdoors was able to bypass well-established anti-virus products in South Korea: AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic, and ESTsoft’s ALYac.

Winnti used it to launch malware on target machines in South Korea, which is Winnti group’s main area of interest. However, HDRoot infections were identified in the UK and in Russia, in companies previously targeted by the Winnti group.

Winnti

Winnti itself is quite a peculiar entity. Active since at least 2009, until quite recently, it mostly targeted companies in the gaming industry, stealing digital certificates signed by legitimate software vendors along with intellectual property such as the source code of online game projects.

Those certificates were later used to sign malware, just like in the case of HDRoot.

However, now Winnti has been seen taking on pharmaceutical companies as well, even though it and gaming are very different industries.

Last year’s report on Winnti is available here.

Slopwork?

According to Securelist, HDRoot “was not created very carefully, which is not what you expect from such a serious APT actor as Winnti”. There are a number of mistakes which make it susceptible to detection, despite all attempts to cover its tracks.

While it is strange, the attackers seem to be saving on effort where they can afford it. As Dmitri Tarakanov, Senior Security Researcher in Kaspersky Lab’s GReAT team wrote, Winnti “probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time.”

Tarakanov also said system administrators have to stsay on top of many things, and if their team is small, there’s a very good chance cybercriminal activity will remain unnoticed.

Fortunately, Kaspersky Lab’s products (consumer and business, as well) successfully block the malware and protect users against the threat.

Stay tuned for the second part of our HDRoot research!

Tips