Hacking group “Winnti” has targeted numerous German enterprises

Moritz Contag (left) and Thorsten Holz from Horst Görtz Institute for IT Security are experts in binary code analysis. © Mareen Meyer

Professor Thorsten Holz heads the Chair of System Security at Horst Görtz Institute for IT Security and is a Speaker at the Casa Cluster of Excellence. © Mareen Meyer

High-profile victims include the corporations Thyssen-Krupp and Bayer. In collaboration with researchers from Bochum, the broadcasting companies Bayerischer Rundfunk and NDR have now exposed “Winnti’s” tactics.

Together with an investigative team at Bayerischer Rundfunk (BR) and Norddeutscher Rundfunk (NDR), researchers at Ruhr-Universität Bochum have unearthed how the hacking group “Winnti” commits its attacks on German and international companies and who have been their victims so far. Winnti has been supposedly operating from China for at least ten years, spying on enterprises worldwide. In Germany, attacks on the corporations Thyssen-Krupp and Bayer have come to light.

Following analyses conducted by the team headed by Professor Thorsten Holz at Horst Görtz Institute for IT Security in Bochum, at least a dozen companies have been impacted by Winnti software, among them six DAX corporations. The main target are enterprises from the chemical industry, as well as from the semiconductor, pharmaceutical and telecommunication industry and manufacturers of video games. The media have reported about the investigation results on 24 July 2019.

Modular malware

The BR and NDR news agency consulted Thorsten Holz and his PhD student Moritz Contag as co-researchers, because they are experts in software analysis, more specifically in binary code analysis. They wanted to find out the workings of Winnti espionage in detail. “Today, there are three generations of Winnti software,” explains Thorsten Holz, a speaker at the CASA Cluster of Excellence (Cyber-Security in the Age of Large-Scale Adversaries). “The software is based on a modular structure. The group can use any modules to assemble malware specifically for the respective purpose and tailored to the victim company.” For example, the construction kit may contain a module that hides the software on one of the servers at the targeted enterprise, one module that collects information in the company’s intranet, and a module that establishes an outside communication channel.

The software’s binary code includes a configuration file that contains options for controlling the malware. Binary code can be run directly by the processor, but it is more or less unreadable to humans. The IT experts from Bochum translated the code into legible language and demonstrated that the files contained, for example, information on which server controlled the malware and where the malware was located in the victim’s system. The hacking group often used external servers to control the malware, but sometimes compromised intranet servers were used for this purpose, too. “Interestingly enough, the configuration files also include hints of which companies or organisations had been attacked,” explains Thorsten Holz. “Presumably, this helps the group organise their attacks.”

The analysed malware files were extracted from the “Virustotal” database. Any user can use this service to upload files and have them checked by 50 different virus scanners. All uploaded files are saved in a database.

After analysing different versions of the malware, Moritz Contag used his findings to analyse several hundred configuration files. He also successfully extracted certificates used by the attackers to conceal their malware even better.

The investigative journalists contacted 14 enterprises, in order to warn them of a possible malware infection. Some of the targeted companies admitted that they’d been a victim of an attack; several analyses are still ongoing. The Winnti group has not only targeted companies, but also the Hong Kong government. The media thus suspect that Winnti may not only be engaged in industrial, but also in political espionage.

This is how intranets are infected

Malware infection is often conducted via phishing emails. If a user clicks on a link or opens an attachment in such an email, Winnti software installs itself on the system. The attackers then use that system for further attacks within the intranet. The software can hide unnoticed on an infected server until it is activated by a signal from the control server. Subsequently, the program communicates with the control server via an encrypted channel, for example by sending specific data from the intranet to the attackers.

“Our analysis has also shown that the Winnti software frequently remains dormant for weeks or months; then, it becomes active for a day or perhaps a week, before switching off again,” as Thorsten Holz describes the typical behaviour.

Attacks on Linux systems detected

Winnti software aims at infecting Windows systems. However, there is now also a version for Linux, as transpired in March 2019. “We studied this malware version, too,” says Thorsten Holz. “It works pretty much like Winnti.”

Here you can find the original text at RUB Newsportal.

More technical information, including a script that can be used to extract configuration information from a given sample is available here.


Press contact

Prof. Dr. Thorsten Holz
Chair for System Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Phone: +49 234 32 25199


Julia Laska/Christina Scholten
Marketing and PR

Horst Görtz Institute for IT Security and Casa Cluster of Excellence
Ruhr-Universität Bochum
Phone: +49 234 32 29162
Email: hgi-presse@rub.de