Malware: Winnti for Windows

Description

[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)

External References

• mitre-attack
• Microsoft Winnti Jan 2017
• Chronicle Winnti for Linux May 2019
• 401 TRG Winnti Umbrella May 2018
• Kaspersky Winnti April 2013
• Novetta Winnti April 2015

Techniques Used by This Malware

• T1027.013 — Encrypted/Encoded File
• T1027.015 — Compression
• T1036.005 — Match Legitimate Resource Name or Location
• T1057 — Process Discovery
• T1070.004 — File Deletion
• T1070.006 — Timestomp
• T1071.001 — Web Protocols
• T1082 — System Information Discovery
• T1083 — File and Directory Discovery
• T1090.001 — Internal Proxy
• T1090.002 — External Proxy
• T1095 — Non-Application Layer Protocol
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1140 — Deobfuscate/Decode Files or Information
• T1218.011 — Rundll32
• T1480.001 — Environmental Keying
• T1543.003 — Windows Service
• T1547.001 — Registry Run Keys / Startup Folder
• T1548.002 — Bypass User Account Control
• T1569.002 — Service Execution
• T1573.001 — Symmetric Cryptography

APT Groups Using This Malware

• Aquatic Panda
• Winnti Group