Winnti Winnti

  • First known sample

    2009

  • Discovery

    2012

  • Number of targets

    1-100

  • Current status

    Active

  • Type

    Trojan

  • Targeted platforms

    Windows

  • TOP targeted countries

    Belarus , Brazil , CIS , Germany , Japan , Peru , Russia , South East Asia , Ukraine

  • The way of propagation

    Social engineering

  • Purpose/Functions

    Data theft , Data wiping
  • Special features
    Winnti hunts for intellectual property belonging to gaming companies such as source code and internal systems design.

  • Targets

    Software companies
  • Artefacts/Attribution
    Our research revealed that the attackers used the Chinese language in the code of the malware; they used Chinese locales in their Windows servers and they have been using a number of IP addresses in China. There are a number of other indicators, such as nicknames, timezones and more showing that the attackers are located in the People's Republic of China.
  • Description

    A hacking group known for a series of targeted attacks against private companies around the world, namely gaming companies. The group’s main objective is to steal source codes for online gaming projects, as well as the digital certificates of legitimate software vendors. The malware used is distributed via a regular update from a game’s official update server. The group later evolved to target the pharmaceutical industry as well.

    Additional information

© 2023 AO Kaspersky Lab. All Rights Reserved. Privacy Policy Cookies
  1. Adding detection for known modules
  2. Collecting samples
  3. Reversing the samples
  4. Decrypting sophisticated encryption and compression schemes
  5. Understanding lateral movement
  6. Outlining multiple attack stages in the correct order
  7. Mapping C&C infrastructure
  8. Setting up sinkholes
  9. Analyzing collected traffic and communication protocols
  10. Crawling other hosts that understand the same protocol
  11. Taking down and acquiring images of C&C servers
  12. Identifying victims, sending out notifications to victims and global CERTs
  13. Applying forensic analysis and extracting logs, stolen files, other components
  14. Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
  15. Writing a comprehensive report
Read more
Mitigation is where enterprises need to start, prevention being significantly more effective and more cost-efficient than remediation after an attack Read more
For any inquiries, please contact apt.securelist@kaspersky.com If you are looking for more detailed information about an APT, please contact intelreports@kaspersky.com