Winnti (APT41): The cyber-security firm QuoIntelligence (QuoInt) outlined new malware strains which they linked to APT41, a Chinese threat group that has been known to target gaming companies in the past. The malware that researchers analyzed included the string “Ox1A0: Gravity,” where Gravity is the name of the parent company of the Massively Multiplayer Online Role-playing Game (MMORPG) Ragnarok, which enabled researchers to know who the victim was. The malware is known as the “Winnti Dropper,” which is used in initial attacks against companies to gain access. QuoInt initially discovered the malware from a German virus scanner and assessed that the malware was used to target a German chemical company, according to a different string in a variant of Winnti Dropper. The analysis showed an unreported Command and Control (C2) technique that was not attributed to Winnti before: tunneling communication through DNS using a custom implementation of the iodine source code. Iodine is open-source software that enables the tunneling of IPv4 data through a DNS server.
Analyst Notes
Prior research into the Winnti group aligns with the most recent findings from QuoInt. The group has always targeted German companies as well as many different video game companies. The group tends to target small to medium-sized businesses to steal information. Companies of all sizes should be aware of the group’s trends and incorporate monitoring of endpoints for attacker behaviors to detect intrusions in the early stages, and monitoring abnormal use of DNS that may indicate tunneling. Managed security services such as such as Binary Defense’s Security Operations Center using Managed Detection and Response (MDR) tools can help businesses of any size find attacks and stop them before they result in major losses.
More can be read here: https://www.zdnet.com/article/chinese-hackers-targeted-company-behind-ragnarok-online-mmorpg/
Analysis of the malware from QuoInt can be found here: https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/
Information about detecting DNS tunneling can be found here: https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000
