Hand on keyboard.jpg

The Winnti group is a Chinese-linked cybercriminal group that is most well-known for its 2011 attacks against online video game producers.

These attacks were committed with the intent of stealing digital certificates used to sign software. With these compromised certificates in hand, the group would then use them to attack other video game companies to steal their certificates as well.

In addition to a company's certificates, the source code for their video games was targeted as well, possibly to search for vulnerabilities within the game to exploit for monetary gain. One of the targeted companies described how the attackers were trying to acquire in-game currency illegally, which they could then try to convert into real-currency. The Winnti Group was also able to successfully distribute Trojans to players of a popular online game by deploying malware on the game's official update server.

After the attacks on video game producers, the group and their stolen certificates were used to attack pharmaceutical companies, as well as to target activists supporting Tibet and Uyghur.

The latest update to the Winnti group's backdoor uses GitHub to receive directives as part of the Command and Control (C&C) chain. To find out where it needs to connect to next, the malware will access an HTML page stored within a GitHub repo. This page contains an encrypted string that once decrypted, will show the IP address and port number that it will receive commands from.

This update helps the malware mask its network traffic, as accessing GitHub is unlikely to raise many red flags within a corporate environment.

Enabling TSCritical targets in policies for ThreatSTOP DNS and IP Firewall Services protect against Winnti. If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.