TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究ログ

Winnti [攻撃組織] (まとめ)

【別名】

別名 呼称ベンダー
Winnti 一般的
Blackfly
Suckfly Symantec
Wicked Panda
Wicked Spider


【関連組織】

(Axiom) Winnti と同じマルウェアを使用
(Group 72)


【使用マルウェア】

Winnti


【概要】

活動時期 2009~(Kaspersky), 2010~(?)
活動場所 成都(Syamantec)
使用マルウェア Winnti, Nidiran
攻撃対象 オンラインゲーム企業
攻撃の目的 オンラインゲームのソースコードを含む知的財産の盗難
正規のソフトウェアベンダーによって署名されたデジタル証明書の獲得
関連組織 APT17, Ke3chang, Axiom
攻撃対象国 韓国、ドイツ、米国、日本、中国、ロシア、ブラジル、ペルー、ベラルーシ
攻撃対象企業 ネクソン(日本)
収益化スキーム 産業スパイ
ゲーム内の仮想通貨を現実の通貨に変えるリアルマネートレード(RMT)
海賊版サーバの展開


【辞書】

■組織

◆Group: Winnti Group, Blackfly (ATT&CK)
https://attack.mitre.org/wiki/Group/G0044

◆Suckfly APT (IBM X-Force Exchange)
https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab

◆Axiom (ATT&CK)
https://attack.mitre.org/groups/G0001/

◆Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/actor/winnti_umbrella

■マルウェア

◆Winnti (NJCCIC)
https://www.cyber.nj.gov/threat-profiles/trojan-variants/winnti


【ニュース】

◆Priority Intelligence Report: WINNTI Group Changing Targets (The Register, 2013/04/11)
http://www.theregister.co.uk/2013/04/11/video_game_cyberespionage/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_2

◆サイバー犯罪組織「Winnti」、ゲーム制作会社を標的に……カスペルスキーが報告書公開 (RBB Today, 2013/04/12 13:26)
https://www.rbbtoday.com/article/2013/04/12/106262.html
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆世界のオンラインゲーム会社を標的とするサイバースパイ活動を分析--Kaspersky (ZDNet, 2013/04/12 15:30)
https://japan.zdnet.com/article/35030780/
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆ハッカー集団のWinnti、4年にわたりオンラインゲーム開発会社へサイバー攻撃 (ビジネス+IT, 2013/04/12)
http://www.sbbit.jp/article/cont1/26189
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆Backdoor Built With Aheadlib Used In Targeted Attacks? (Trendmicro, 2013/05/09)
http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-built-with-aheadlib-used-in-targeted-attacks/
http://malware-log.hatenablog.com/entry/2013/05/09/000000_1

◆ゲーム会社への標的攻撃に使用された「WINNTI」ファミリ類似の亜種を確認 (Trendmicro, 2013/05/17)
http://blog.trendmicro.co.jp/archives/7252
http://malware-log.hatenablog.com/entry/2013/05/17/000000_1

◆Winnti trojan may help set stage for Skeleton Key attacks, analysts say (SC Media, 2015/01/29)
https://www.scmagazine.com/home/security-news/winnti-trojan-may-help-set-stage-for-skeleton-key-attacks-analysts-say/

◆Winnti Malware Gets into Pharmaceutical Business (Softpedia, 2015/06/23)
https://news.softpedia.com/news/winnti-malware-gets-into-pharmaceutical-business-485013.shtml

◆「MERS予防」装う標的型攻撃、「CHMファイル」に注意 (Security NEXT, 2015/06/30)
http://www.security-next.com/060001/2

◆'Suckfly' in the ointment: Chinese APT group steals code-signing certificates (SC Magazine, 2016/03/16)
https://www.scmagazine.com/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates/article/528968/
http://malware-log.hatenablog.com/entry/2016/03/16/000000_3

◆Suckfly: Revealing the secret life of your code signing certificates (Symantec, 2016/05/15)
https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

◆Indian organizations targeted in Suckfly attacks (Symantec, 2016/05/17)
https://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

◆Suckfly Cyber-Espionage Group Targets Indian Government and Private Companies (Softpedia, 2016/05/18)
http://news.softpedia.com/news/suckfly-cyber-espionage-group-targets-indian-government-and-private-companies-504183.shtml

◆Suckfly APT (XForce, 2016/06/03)
https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab

◆'Suckfly' in the ointment: Chinese APT group steals code-signing certificates (SC Magazine, 2016/03/16)
https://www.scmagazine.com/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates/article/528968/

◆Suckfly Cyber-Espionage Group Targets Indian Government and Private Companies (Softpedia, 2016/05/18)
http://news.softpedia.com/news/suckfly-cyber-espionage-group-targets-indian-government-and-private-companies-504183.shtml

◆Indian organizations targeted in Suckfly attacks (Symantec, 2016/05/17)
https://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

◆インドの組織を狙う Suckfly (Symantec, 2016/05/19)
https://www.symantec.com/connect/nl/blogs/suckfly-2?page=1
http://malware-log.hatenablog.com/entry/2016/05/19/000000_3

◆Research claims CCLeaner attack carried out by Chinese-linked group (CyberScoop, 2017/10/02)
https://www.cyberscoop.com/ccleaner-attack-china-intezer-labs-piriform-apt17/

◆Bayer contains cyber attack it says bore Chinese hallmarks (ロイター, 2019/04/04 16:35)
https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN
http://malware-log.hatenablog.com/entry/2019/04/04/000000

◆ドイツの大手製薬会社バイエルにサイバー攻撃、「データ窃盗が行われた形跡はなし」 (ZDNet, 2019/04/05 11:26)
https://japan.zdnet.com/article/35135308/
http://malware-log.hatenablog.com/entry/2019/04/05/000000_2


【ブログ】

◆Winnti 1.0 technical analysis (SECURELIST, 2013/04/11)
https://securelist.com/winnti-1-0-technical-analysis/37002/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_7

◆The Winnti honeypot – luring intruders (SECURELIST, 2013/04/11)
https://securelist.com/the-winnti-honeypot-luring-intruders/35623/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_3

◆Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups (SECURELIST, 2013/04/12)
https://securelist.com/winnti-stolen-digital-certificates-re-used-in-current-watering-hole-attacks-on-tibetan-and-uyghur-groups-3/35692/
http://malware-log.hatenablog.com/entry/2013/04/12/000000_4

◆Winnti returns with PlugX (SECURELIST, 2013/04/15 12:30 GMT)
http://www.securelist.com/en/blog/208194224/Winnti_returns_with_PlugX
http://malware-log.hatenablog.com/entry/2013/04/15/000000_1

◆Backdoor Built With Aheadlib Used In Targeted Attacks? (Trendmicro, 2013/05/09)
http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-built-with-aheadlib-used-in-targeted-attacks/
http://malware-log.hatenablog.com/entry/2013/05/09/000000_1

◆Games are over: Winnti is now targeting pharmaceutical companies (Kaspersky, 2015/06/22 14:19)
https://securelist.com/games-are-over/70991/

◆I am HDRoot! Part 1 (SECURE LIST, 2015/10/06)
https://securelist.com/i-am-hdroot-part-1/72275/

◆PlugX malware: A good hacker is an apologetic hacker (SecureList, 2016/03/10 11:59)
https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/

◆Suckfly: Revealing the secret life of your code signing certificates (Symnatec, 2016/03/15)
https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

◆インドの組織を狙う Suckfly (Symantec, 2016/05/18)

Suckfly が、インドの政府機関と営利企業を標的にして、長期にわたるスパイ活動を展開しています。

https://www.symantec.com/connect/blogs/suckfly-2
http://malware-log.hatenablog.com/entry/2016/05/18/000000_4

◆インドの組織を狙う Suckfly (Symantec, 2016/05/19)
https://www.symantec.com/connect/nl/blogs/suckfly-2?page=1
http://malware-log.hatenablog.com/entry/2016/05/19/000000_3

◆Suckfly (Schneier on Security, 2016/05/26 06:31)
https://www.schneier.com/blog/archives/2016/05/suckfly.html

◆「WINNTI」、C&C通信にGitHubを悪用 (Trendmicro, 2017/03/30)
http://blog.trendmicro.co.jp/archives/14654

◆Of Pigs and Malware: Examining a Possible Member of the Winnti Group (Trendmicro, 2017/04/19)
https://blog.trendmicro.co.jp/archives/14794

◆サイバー犯罪者集団「WINNTI」に関与するメンバーを特定か (Trendmicro, 2017/04/27)
http://blog.trendmicro.co.jp/archives/14794
http://malware-log.hatenablog.com/entry/2017/04/27/000000_2

◆Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER (CroudStrike, 2018/07/26)
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/
http://malware-log.hatenablog.com/entry/2018/07/26/000000_8


【公開情報】

◆Winnti. More than just a game (SECURELIST, 2013/04/11) ☆☆
https://securelist.com/winnti-more-than-just-a-game/37029/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_6

◆Backdoor.Winnti (Symantec, 2013/04/12)
https://www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2011-102716-2809-99&tabid=2
http://malware-log.hatenablog.com/entry/2013/04/12/000000_1

◆Winnti Backdoor Created with Aheadlib to Mimic Legitimate System Library (Softpedia, 2013/05/10)
https://news.softpedia.com/news/Winnti-Backdoor-Created-with-Aheadlib-to-Mimic-Legitimate-System-Library-352240.shtml
http://malware-log.hatenablog.com/entry/2013/05/10/000000_2

【資料】

■マルウェア・組織

◆Winnti (Kaspersky, 2013/04)
https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf
http://malware-log.hatenablog.com/entry/2013/04/01/000000_1

◆WINNTI ANALYSIS (NOVETTA)
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

◆Winnti Backdoor Created with Aheadlib to Mimic Legitimate System Library (Softpedia, 2013/05/10)
https://news.softpedia.com/news/Winnti-Backdoor-Created-with-Aheadlib-to-Mimic-Legitimate-System-Library-352240.shtml

◆Internet Infrastructure Review (IIR) Vol.23 (IIJ, 2014/05/28)
http://www.iij.ad.jp/company/development/report/iir/023/01_04.html


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019