Of Pigs and Malware: Examining a Possible Member of the Winnti Group

By | April 19, 2017

by Cyber Safety Solutions Team

In one of our earlier weblog entries, we lined how the menace actor referred to as Winnti was using GitHub to unfold malware – a enchancment that reveals how the group is starting to evolve and use new assault strategies past their earlier methods involving focused assaults in the direction of gaming, pharmaceutical, and telecommunications companies. Through this entry, all by way of which we take a greater have a look at a one who we take into account might be linked to the Winnti group, we hope to current each irregular prospects and organizations greater insights into amongst the numerous devices – notably the server infrastructures- these styles of menace actors use, as properly as to the measurement all by way of which they operate.

Searching Domain Registrations for Clues

Threat actors usually register and use a quantity of domains so as to discretely lead their malware to their Command and Control (C&C) servers. Registering a internet web site identify always requires some sort of figuring out information: a bodily or mailing address, an e-mail address, and a cellphone number. Of these, a sound e-mail tackle holds the biggest significance as a consequence of it is the place the registrar sends the affirmation of a internet web site buy to the mannequin new proprietor collectively with the knowledge needed to handle the domain.

Most fraudsters create one-time e-mail addresses or use stolen e-mail addresses, each of that are straightforward to create or obtain. However, over time, it turns into tedious for fraudsters to always change knowledge when registering new domains. This is the aim the place they’re susceptible to make errors and start reusing e-mail addresses.

A cautious evaluation of the area registrations from this menace actor between 2014 and 2015 allowed us to decide one profile used to register a quantity of domains that have been used as C&C servers for a chosen malware household employed by the Winnti group. In particular, we managed to collect particulars on a particular person using the deal with Hack520, who we take into account is linked to Winnti.

Who is the Winnti group?

The group behind the Winnti malware (which we’ll name the Winnti group for brevity) sprung up as a band of conventional cyber crooks, comprising black hats whose technical abilities have been employed to perpetrate monetary fraud. Based on using domains they registered, the group started out inside the business of fake/rogue anti-virus products in 2007. In 2009, the Winnti group shifted to concentrating on gaming firms in South Korea using a self-named data- and file-stealing malware.

The group, which was primarily motivated by profit, is famous for using self-developed technically-proficient devices for his or her attacks. They as quickly as attacked a sport server to illicitly farm in-game currency (“gaming gold”, which additionally has real-world value) and stole supply codes of on-line sport projects. The group additionally engaged inside the theft of digital certificates which they then used to signal their malware to make them stealthier. The Winnti group diversified its targets to incorporate enterprises resembling these in pharmaceutics and telecommunications. The group has since earned infamy for being involved in malicious actions associated to targeted attacks, resembling deploying spear-phishing campaigns and building a backdoor.

During the course of researching the Winnti group, we obtained here throughout beforehand unreported malware samples that we attributed to the group based mostly on the malware arsenal and using registered domains as assault infrastructure. These samples led us to the invention of further C&C servers that supplied us with extra knowledge than we initially expected.

A nearer have a look at Hack520

Our preliminary investigation on the domains registered by Hack520 revealed that comparable domains (listed below) have been registered by one other profile.


Several of these domains are linked to variants of malware that have been utilized by the Winnti menace actor. Surprisingly enough, it would not take very prolonged to get some particulars about Hack520: somebody with this deal with runs a weblog and a Twitter account (with a deal with shut to Hack520) that may even be instantly linked to the blog.


Figure 1: Twitter account of Hack520

One fascinating element about Hack520 is his apparent love for pigs, as seen in his use of the phrase in his e-mail addresses. He additionally mentions his occupation as a “pig farmer” in on-line message boards. In addition, Hack520’s tweets always current pictures of the identical animal, which is most probably going his pet pig.

The Twitter deal with utilized by Hack520 signifies additionally an “est” portion. This “est” reference might check with a hacking group with its personal message board on which hack520 additionally posts regularly.

In one express discussion board post, Hack520 mentions that he was beforehand jailed for a interval of 10 months in a weblog put up dated May 31, 2009.


Figure 2: Post from Hack520’s blog

A tough translation of this message is as follows:

“Fxxk, as quickly as I am released, the server is offline, I can’t discover the machine, the area is expired, it is so bad. I wasted 10 months, I even have failed and misplaced my money.”

Hack520 seems to be very considering about internet hosting companies and his profile matches that of a system administrator profile with some programming and hacking skills.

After further research, we have been ready to hyperlink Hack520 to completely different community administration activities, notably with a Virtual Private Server (VPS) internet hosting service. The strategy Hack520 indicators his messages in a single hacker discussion board presents a clue pointing to this connection. While one among his signatures makes use of his personal weblog domain, there might even be additionally a second signature which makes use of 93[.]gd, a internet web site that was found to have been actively promoting VPS companies inside the past. The e-mail tackle [email protected][.]gd is linked to IP addresses owned by a sure person with the nickname “PIG GOD”—another reference to Hack520’s ardour for pigs.

Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as a consequence of the “PIG RANGE”. The IP fluctuate for “PIG GOD” is 43[.]255[.]188.0/22, which seems to be hosted in Hong Kong as seen inside the knowledge we found:

inetnum: 43[.]255[.]188[.]0 – 43[.]255[.]190[.]255
netname: PIG-HK
description: PIG GOD
country: HK
admin-c: PG406-AP
tech-c: PG406-AP
person: pig god
country: HK
phone: +852-39437000
e-mail: [email protected][.]to
nic-hdl: PG406-AP
changed: [email protected][.]to 20160917
source: APNIC

The area 66[.]to ends in a single other internet web site that reveals Hack520’s pet pig. It additionally reveals direct hyperlinks to secure[.]66[.]to and zhu[.]vn, each of which additionally belong to Hack520 and accommodates his private blog.


Figure 3: Hack520’s pet pig

We have been ready to discovering further hyperlinks between Hack520’s “Pig network” and the Winnti group’s activities. This consists of internet hosting C&C domains that have been utilized by Winnti resembling mtrue.com, shenqi[.]kr and zhu[.]kr. We additionally found a dwell service promoting VPS internet hosting at secure[.]66[.]to. The internet hosting companies provided at secure[.]66[.]to are actually internet hosting companies rented to completely different firms worldwide. The contents current in secure[.]66[.]to typically lead to zhu[.]vn, which is Hack520’s area for internet hosting his personal private blog.


Figure 4: Screenshot of secure[.]66[.]to

We found roughly 500 domains that lead or have led to the “Pig network” between 2015 to March 2017. Most of these domains appear to have contained illegitimate content material like pornography and on-line gambling. We extremely suspect the “Pig network” to have additionally been used as a bulletproof internet hosting service for cybercriminals who’re unrelated to the Winnti group.

From what we’ve seen in Hack520’s blog, as properly as to the infrastructure deployed round it, it is pretty safe to say that Hack520 is involved in elements of the VPS service exercise supplied to teams like Winnti and completely different cybercriminals or menace actors.

What we’ve learned

Threat actors simply like the Winnti group not often ever maintain static when it entails each devices and tactics. As we’ve already beforehand talked about in our 2017 predictions, these teams will always evolve and make use of distinctive and superior assault techniques. In addition, people like Hack520 show that these menace actors are composed of assorted people who’ve their very personal set of expertise. All of these issues level to menace actors and teams like Winnti will proceed to try completely different strategies of attack.

Threat actors are always in search of to develop the strategies they use, thus safety practices and options that work for much less organized cybercriminals might not work for decided teams who’re eager to spend time, assets and manpower to carry out their goals. As such, there is a necessity for all people to be proactive with reference to security, particularly for organizations who’re usually the victims of focused attacks. By creating consciousness and using the becoming solutions, each people and organizations can take the steps needed to defend in the direction of the malicious methods utilized by menace actors simply like the Winnti group.

Of Pigs and Malware: Examining a Possible Member of the Winnti Group

Please check this great service at: http://www.test-net.org/services/reverse-lookup/ or visit FREE SERVICES menu

[Total: 0    Average: 0/5]