Security Market Segment LS
Tuesday, 29 September 2015 12:29

Chinese cyber-criminals launch new attacks


Kaspersky Lab is tracking the activity of Chinese Winnti Group - cyber-criminals targeting organisations in Japan, China, Bangladesh, Indonesia, the UK, US, and Russia and soon your back yard.

The Winnti criminal organization is known for industrial cyber-espionage campaigns targeting software companies, especially those in the gaming industry. Recently it moved to the lucrative telecoms and big pharma businesses.

Kaspersky Lab has called the threat “HDRoot” after the original tool’s name “HDD Rootkit”. It is based on a 2006 bootkit installer, and is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used as a foothold for any arbitrary tool.

“HDRoot” was discovered when a sample of malware sparked the interest of Kaspersky Lab’s Global Research and Analysis Team (GReAT) for the following reasons:

  • It was protected with a commercial VMProtect Win64 executable signed with a known compromised certificate belonging to the Chinese entity, Guangzhou YuanLuo Technology. The Winnti group is known to have abused this certificate in the past to sign other tools
  • The properties and output text of the executable were spoofed to make it look like a Microsoft’s Net Command net.exe, to reduce the risk of system administrators exposing the program as hostile

GReAT researchers were able to identify two types of backdoors launched with the help of this platform, but there may be more. One of these backdoors was able to bypass well-established anti-virus products in South Korea - AhnLab’s V3 Lite, AhnLab’s V3 365 Clinic and ESTsoft’s ALYac, where Winnti used it to launch malware products on its targets.

Andrew Mamonitis, Managing Director at Kaspersky Lab ANZ says, “The most important goal for any APT-actor is to stay under the radar. That is why we rarely see any complicated code encryption. The Winnti group took a risk, because it probably knows from experience which signs should be covered-up and which can be overlooked, as organizations don’t always apply all the best security policies all of the time. System administrators have to keep on top of many things, and if the team is small, the chance that cyber-criminal activity will remain undetected is even higher”.

This is an active threat. Since Kaspersky Lab started to add detections, the group behind the attacks has started to adapt them. In less than one month, a new modification was identified.

Kaspersky Lab’s products successfully block the malware and protect users against the threat.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Ray Shaw

joomla stats

Ray Shaw [email protected]  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments