The Winnti Trojan Horse has been found to have a new iteration as users shave fallen victim to a new Linux version of the malware. What’s dangerous about this release is the fact that it was used in a hack back in 2015 against a gaming company. The latest incident involving it is a hack against a large German pharmaceutical company last month.
Winnti Trojan Horse Linux Version Used in Targeted Attacks
According to a new security report the Linux version of the Winnti Trojan is being spread worldwide against computer users. The last major impact that it has done was the hack of a large pharmaceutical company in Germany last month.
At the moment an active campaign has been detected to spread worldwide. The security report indicates that an unknown criminal collective is distributing an offspring of the threat against hacker-defined targets. In this particular release the actual Winnti Trojan is comprised of two files: libxselinux which is the main backdoor and the libxselinux.so which is the library. The library file is used to hide the presence and activity of the malware. Upon its execution by the initialization script it will decode its built-in code. As a result of the operations the malware engine will be hidden from the system by registering as a legitimate application and hooking up to existing processes.
One of the most dangerous consequences of having this threat installed on a given computer is the launch of the Trojan module. This particular malware uses several protocols including custom ones in order to communicate with hacker-controlled servers. A made connection can be kept online and alive in order to allow the hackers to carry out multiple malicious actions. Common configurations include the deployment of other threats including ransomware, hijackers and cryptocurrency miners. Likewise other commands can result in the surveillance of the victim users — keylogging of their input and screenshots capture on demand or at regular intervals.
We advise all Linux users to always patch their systems to the latest updated packages of their system in order to avoid any vulnerability testing attempts. To be more certain that the infection can be avoided Linux users should also take note of what files they download and execute. At this moment the active distribution campaign is focused on spreading malicious documents, we do not know at which point this tactic can shift into something else.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: