Winnti (APT41): The cyber-security firm QuoIntelligence (QuoInt) outlined new malware strains which they linked to APT41, a Chinese threat group that has been known to target gaming companies in the past. The malware that researchers analyzed included the string “Ox1A0: Gravity,” where Gravity is the name of the parent company of the Massively Multiplayer Online Role-playing Game (MMORPG) Ragnarok, which enabled researchers to know who the victim was. The malware is known as the “Winnti Dropper,” which is used in initial attacks against companies to gain access. QuoInt initially discovered the malware from a German virus scanner and assessed that the malware was used to target a German chemical company, according to a different string in a variant of Winnti Dropper. The analysis showed an unreported Command and Control (C2) technique that was not attributed to Winnti before: tunneling communication through DNS using a custom implementation of the iodine source code. Iodine is open-source software that enables the tunneling of IPv4 data through a DNS server.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased