OREANDA-NEWS. Kaspersky Lab experts tracking the activity of the Winnti group have discovered an active threat based on a 2006 bootkit installer. The threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit,” is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool. 

The Winnti criminal organization is known for industrial cyberespionage campaigns targeting software companies, especially those in the gaming industry. Recently it has also been observed to be targeting pharmaceutical businesses.

“HDRoot” was discovered when an intriguing sample of malware sparked the interest of the Kaspersky Lab Global Research and Analysis Team (GReAT) for the following reasons: 

- It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology; a certificate that the Winnti group was known to have abused to sign other tools;

- The properties and output text of the executable were spoofed to make it look like a Microsoft’s Net Command net.exe, obviously to reduce the risk of system administrators exposing the program as hostile.

Taken together, this made the sample look suitably suspicious. Further analysis showed that the HDRoot bootkit is a universal platform for a sustainable and persistent appearance in a system and it can be used to launch any other tool. The GReAT researchers were able to identify two types of backdoors launched with the help of this platform, and there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s ALYac. The Winnti group could have used it to launch malware products on target machines in South Korea. 

According to Kaspersky Security Network data, South Korea is the main area of interest for the Winnti group in South East Asia; with other targets in this region including organizations in Japan, China, Bangladesh and Indonesia. Kaspersky Lab has also detected HDRoot infections in a company in the UK and in one in Russia, both of which have previously been targeted by the Winnti group. 

“The most important goal for any APT-actor is to stay under the radar, to remain in the shadow. That’s why we rarely see any complicated code encryption, because that would attract attention. The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which ones can be overlooked because organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cybercriminal activity will remain undetected is even higher,” – said Dmitry Tarakanov, senior security researcher, Kaspersky Lab GReAT. 

The development of the HDD Rootkit in 2006 is likely to be the work of someone who went on to join the Winnti group when it was set up, likely in 2009. However, there is a possibility that Winnti made use of third-party software or the utility and source code were available on the Chinese or other cybercriminal black market. Since Kaspersky Lab started to add detections, the group behind the attacks has started to adapt them – in less than one month, a new modification was identified. 

Kaspersky Lab products successfully block the malware and protect users against the threat.

About Kaspersky Lab

Kaspersky Lab is one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned. The company is ranked among the world’s top four vendors of security solutions for endpoint users (IDC, 2014). Since 1997 Kaspersky Lab has been an innovator in cybersecurity and provides effective digital security solutions and threat intelligence for large enterprises, SMBs and consumers. Kaspersky Lab is an international company, operating in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide.