Where does the hacking group CPY communicate

News portal - Ruhr University Bochum

How the hacker group "Winnti" * attacks German and international companies and who is already among the victims, researchers from the Ruhr University in Bochum, together with a research team from Bayerischer Rundfunk (BR) and Norddeutscher Rundfunk (NDR), have uncovered. Winnti has probably been operating out of China for at least ten years and spying out companies around the world. In Germany, attacks on the Thyssen-Krupp and Bayer companies became known.

After analyzes by the team around Prof. Dr. Thorsten Holz from the Horst Görtz Institute for IT Security in Bochum, at least a dozen companies are affected by the Winnti software, including six Dax companies. The focus is particularly on companies in the chemical industry, but also manufacturers of computer games, telecommunications companies, the pharmaceutical industry and the semiconductor industry. The media reported on the results of the research on July 24, 2019.

Malware from the kit

The media association of BR and NDR called on Thorsten Holz and his doctoral student Moritz Contag for the research because they are experts in the analysis of software, especially binary code. They wanted to know more precisely how Winnti espionage works. "There are now three generations of Winnti software," explains Thorsten Holz, one of the spokesmen for the Casa excellence cluster (Cyber-Security in the Age of Large-Scale Adversaries). “The software has a modular structure like a construction kit. From this, the group can then put together the right malware for the respective purpose and the victim company. "

The kit contains, for example, a module that hides the software on a server of the company concerned, a module that enables information to be collected in the company network, or a module that establishes a communication channel to the outside.

The control server for malware is partly in the company network

The software's binary code also contains a configuration file that contains key options for controlling the malware. Binary code can be executed directly by the processor, but it is hardly understandable for humans. The Bochum IT experts translated the code into readable language and showed that the files contained information such as which server was used to control the malware and where the malware is located in the victim's system. The hacking group often used external servers for control, but the malware was sometimes also controlled by compromised servers in the company network. “Interestingly, the configuration files also contain information about which company or organization was specifically attacked, explains Thorsten Holz. "It probably helps the group organize their attacks."

The malware files analyzed came from the “Virustotal” database. With this service, any user can upload files and have them checked by 50 different virus scanners. All uploaded files are stored in a database.

Moritz Contag analyzed several versions of the malware and used the knowledge gained to evaluate several hundred configuration files. It was also able to extract certificates that the attackers can use to hide their malware even better.

The reporters contacted a total of 14 companies to inform them of the possible infection with the malware. Some of the companies affected admitted a corresponding attack, and in some cases the analyzes are still ongoing. Not only companies are among those affected; Winnti also spied on the Hong Kong government, for example. The media therefore suspect that the group not only engages in business espionage, but also carries out political espionage.

This is how networks get infected

The malware is often infected by phishing emails. If a user clicks on a link in such an email or opens the attachment, the Winnti software is installed on the system. The attackers then use this system for further attacks within the company network. The software can hide unnoticed on an infected server until it receives a signal from the control server and is activated. The program then communicates with the control server via an encrypted channel and sends certain data from the company network to the attacker.

"We also saw in the analysis that the Winnti software often sleeps for weeks or months and does nothing, then is activated for a day or even a week before it is switched off again," Thorsten Holz describes the typical behavior.

Attacks meanwhile also on Linux systems

The aim of the Winnti software is to infect systems with the Windows operating system. In the meantime, a version for Linux also exists, as announced in March 2019. "We also took a closer look at this version of the malware," says Thorsten Holz. "It works basically the same as Winnti."

* An earlier version of the text stated that the Winnti hacker group was also known as APT10. This information has been corrected. They are different groups.

Prof. Dr. Thorsten wood
System Security Chair
Horst Görtz Institute for IT Security
Ruhr-University Bochum
Tel .: 0234 32 25199
Email: [email protected]

Julia Laska
Marketing and PR
Horst Görtz Institute for IT Security and the Casa Cluster of Excellence
Ruhr-University Bochum
Tel .: 0234 32 29162
Email: [email protected]

The selected images are downloaded as a ZIP file.
Image lines and image credits can be found in the included HTML file after unzipping.