The most interesting thing on the server is the contents of the "cache" directory. Structure of public directories on the discovered C2 server
TEAMVIEWER FOR MAC PERSISTENT ACCESS ACROSS PROFILES .DLL
This suggests that xDll is a payload for SkinnyD. The file called x.jpg is an xDll backdoor encrypted with XOR with key 0x37. When we analyzed one of the samples, we found some public directories on its С2 server.
But after a while, we found new samples of the xDII backdoor. The URL structure and some lines in SkinnyD make it very similar to the xDll backdoor.Īt first, we could not obtain the payload for SkinnyD, because all C2 servers were inactive. The downloader we found was named SkinnyD (Skinny Downloader) for its small size and bare-bones functionality. They contact related C2 servers, and in the response should receive a XORencrypted payload with key 0x37. When we studied the infrastructure further, we found several simple downloaders unfamiliar to us (see Section 2.1). The domain names give reason to suspect that attacks also target South Korea, Mongolia, Russia, and the United States. Network infrastructure of the Winnti group at the initial stage of analysis When we studied the network infrastructure and searched for similar samples, we found several domains with similar names. The sample had a very interesting C2 server, which potentially could indicate attacks against Japan. Initially, when the xDll backdoor was analyzed (see Section 2.2), it could not be clearly tied to any APT group. Network infrastructure Detecting ShadowPad This report contains a detailed analysis of the new network infrastructure related to ShadowPad, new samples of malware from the Winnti group, and also analysis of ties to other attacks possibly associated with the group. However, during research we found that the new ShadowPad infrastructure had commonalities with infrastructures of other groups, which may mean that Winnti was involved in other attacks with previously unknown organizers and perpetrators. ESET released its most recent report about Winnti activities involving ShadowPad in January 2020 6. We didn't find any connection with the current infrastructure. This backdoor has been often used in supply chain attacks such as the CCleaner 4 and ASUS 5 hacks. The first attack with ShadowPad was recorded in 2017 3. The group tends to attack the following industries: The group attacks countries all over the world: Russia, the United States, Japan, South Korea, Germany, Mongolia, Belarus, India, and Brazil.
They develop attacks very carefully and deploy their primary tools only after detailed reconnaissance of the infected system. The group knows exactly who their victims are. Winnti uses complex attack methods, including supply chain and watering hole attacks. Their core toolkit consists of malware of their own making. The key interests of the group are espionage and financial gain. This state-sponsored group originates from China 2. ShadowPad is used by Winnti (APT41, BARIUM, AXIOM), a group that has been active since at least 2012. The following new samples were found on the server:
As a result of a configuration flaw of the malware's command and control (C2) server, some server directories were externally accessible. During threat research in March 2020 1, PT Expert Security Center specialists found a previously unknown backdoor and named it xDll, based on the original name found in the code.
0 kommentar(er)
