Security researchers from Alphabet's cybersecurity firm Chronicle have discovered a Linux version of the Winnti malware while investigating a recent cyberattack carried out against the pharmaceutical giant Bayer.
According to the researchers, the code contained within the Linux variant resembles the Winnti 2.0 Windows version which has been used by Chinese cybercriminals for the past decade to launch attacks on systems worldwide.
It is believed by security experts that several Advanced Persistent Threat (APT) groups operate under the Winnti umbrella including Winnti, Wicked Panda, ShadowPad, DeputDog, APT17, PassCV and others.
- Chronicle launches paid version of VirusTotal for the enterprise
- HP launches new laptops and workstations with built-in malware protection
- McAfee warns that 2019 could be the year of ‘everywhere malware’
All of these groups have used similar strategies and techniques in the past and have even shared parts of the same hacking infrastructure.
Linux variant of Winnti
According to Chronicle, the Linux version of Winnti is designed to work as a backdoor on infected hosts which gives hackers the ability to access the compromised system.
The researchers first discovered the existence of the Linux version while attempting to look for Winnti malware samples on the company's VirusTotal platform.
After analyzing the Linux variant, Chronicle discovered that it dated back to 2015 and contained a backdoor Trojan (libxselinux) and a library (libselinux.so) which is used to hide the malware from detection.
In their blog post (opens in new tab), the researchers provided further details on how the Linux version of Winnti functions, saying:
“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux.”
- We've also highlighted the best Linux distros