High-profile victims include the corporations Thyssen-Krupp and Bayer. In collaboration with researchers from Bochum, the broadcasting companies Bayerischer Rundfunk and NDR have now exposed “Winnti’s” tactics.
Together with an investigative team at Bayerischer Rundfunk (BR) and NDR, researchers at Ruhr-Universität Bochum have unearthed how the hacking group “Winnti” commits its attacks on German and international companies and who have been their victims so far. Winnti has been supposedly operating from China for at least ten years, spying on enterprises worldwide. Following analyses conducted by the team headed by Professor Thorsten Holz at Horst Görtz Institute for IT Security in Bochum, at least a dozen companies have been impacted by Winnti software. The main target are enterprises from the chemical industry, as well as from the semiconductor, pharmaceutical and telecommunication industry and manufacturers of video games. The media have reported about the investigation results on 24 July 2019.
Modular malware
The BR and NDR news agency consulted Thorsten Holz and his PhD student Moritz Contag as co-researchers, because they are experts in software analysis, more specifically in binary code analysis. “Today, there are three generations of Winnti software,” explains Thorsten Holz, a speaker at the Casa Cluster of Excellence (Cyber-Security in the Age of Large-Scale Adversaries). “The software is based on a modular structure. The group can use any modules to assemble malware specifically for the respective purpose and tailored to the victim company.”
Control server for malware partially integrated in the intranet
The software’s binary code includes a configuration file that contains options for controlling the malware. Binary code can be run directly by the processor, but it is more or less unreadable to humans. The IT experts from Bochum translated the code into legible language and demonstrated that the files contained, for example, information on which server controlled the malware and where the malware was located in the victim’s system.
This is how intranets are infected
Malware infection is often conducted via phishing emails. If a user clicks on a link or opens an attachment in such an email, Winnti software installs itself on the system. The attackers then use that system for further attacks within the intranet. The software can hide unnoticed on an infected server until it is activated by a signal from the control server.
Attacks on Linux systems detected
Winnti software aims at infecting Windows systems. However, there is now also a version for Linux, as transpired in March 2019.
Click here for more information.
Press contact
Prof. Dr. Thorsten Holz
Chair for System Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 25199
Email: thorsten.holz(at)rub.de
Julia Laska/Christina Scholten
Marketing and PR
Horst Görtz Institute for IT Security and Casa Cluster of Excellence
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 29162
Email: hgi-presse(at)rub.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.