Researchers from Chronicle have uncovered the Linux version of the Winnti malware that works as a backdoor on infected hosts, allowing attackers to gain access to the compromised system.
Chronicle researchers noted that they discovered the Linux variant after the Bayer cyber attack.
Similarities with the Windows variant
Researchers also observed code similarities between the Linux version and the Winnti 2.0 Windows version.
“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers wrote in a blog.
“Linux specific tooling from Chinese APTs is rare but not unheard of. Historically, tools such as HKdoor, Htran, and Derusbi all had Linux variants,” Silas Cutler, Reverse Engineering Lead at Chronicle, told ZDNet.