- Linux variant is used by cyber-espionage groups linked to the US and Russian governments.
- Researchers observed code similarities between the Linux version and the Winnti 2.0 Windows version.
Researchers from Chronicle have uncovered the Linux version of the Winnti malware that works as a backdoor on infected hosts, allowing attackers to gain access to the compromised system.
Chronicle researchers noted that they discovered the Linux variant after the Bayer cyber attack.
- This Linux variant is made up of two parts, a rootkit component to hide the malware on infected hosts and the actual backdoor trojan.
- This variant is used by cyber-espionage groups associated with the US and Russian governments.
Similarities with the Windows variant
Researchers also observed code similarities between the Linux version and the Winnti 2.0 Windows version.
- Both the variants communicated with their C&C servers with a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).
- Similarly, both the variants allowed Chinese hackers to initiate connections to infected hosts without going through the C&C servers.
“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers wrote in a blog.
“Linux specific tooling from Chinese APTs is rare but not unheard of. Historically, tools such as HKdoor, Htran, and Derusbi all had Linux variants,” Silas Cutler, Reverse Engineering Lead at Chronicle, told ZDNet.