TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究ログ

Winnti / APT41 (まとめ)

概要

【別名】

別名 呼称ベンダー
Winnti 一般的 (Kaspersky, ESET, Cleasky)
Blackfly
Suckfly Symantec
Wicked Panda
Wicked Spider
APT41 FireEye
Barium Microsoft


【関連組織】

関連組織  備考
(Axiom) Winnti と同じマルウェアを使用
(Group 72)


【使用マルウェア】

マルウェア名 備考
Winnti


【概要】

項目 内容
活動時期 2009~(Kaspersky), 2010~(?)
活動場所 成都(Syamantec)
使用マルウェア Winnti, Nidiran
攻撃対象 オンラインゲーム企業
攻撃の目的 オンラインゲームのソースコードを含む知的財産の盗難
正規のソフトウェアベンダーによって署名されたデジタル証明書の獲得
関連組織 APT17, Ke3chang, Axiom
攻撃対象国 韓国、ドイツ、米国、日本、中国、ロシア、ブラジル、ペルー、ベラルーシ
攻撃対象企業 ネクソン(日本)
収益化スキーム 産業スパイ
ゲーム内の仮想通貨を現実の通貨に変えるリアルマネートレード(RMT)
海賊版サーバの展開


【辞書】

■組織

◆Group: Winnti Group, Blackfly (ATT&CK)
https://attack.mitre.org/wiki/Group/G0044

◆Suckfly APT (IBM X-Force Exchange)
https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab

◆Axiom (ATT&CK)
https://attack.mitre.org/groups/G0001/

◆Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/actor/winnti_umbrella

■マルウェア

◆Winnti (NJCCIC)
https://www.cyber.nj.gov/threat-profiles/trojan-variants/winnti

記事

【ニュース】

◆Priority Intelligence Report: WINNTI Group Changing Targets (The Register, 2013/04/11)
http://www.theregister.co.uk/2013/04/11/video_game_cyberespionage/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_2

◆サイバー犯罪組織「Winnti」、ゲーム制作会社を標的に……カスペルスキーが報告書公開 (RBB Today, 2013/04/12 13:26)
https://www.rbbtoday.com/article/2013/04/12/106262.html
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆世界のオンラインゲーム会社を標的とするサイバースパイ活動を分析--Kaspersky (ZDNet, 2013/04/12 15:30)
https://japan.zdnet.com/article/35030780/
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆ハッカー集団のWinnti、4年にわたりオンラインゲーム開発会社へサイバー攻撃 (ビジネス+IT, 2013/04/12)
http://www.sbbit.jp/article/cont1/26189
http://malware-log.hatenablog.com/entry/2013/04/12/000000_2

◆Backdoor Built With Aheadlib Used In Targeted Attacks? (Trendmicro, 2013/05/09)
http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-built-with-aheadlib-used-in-targeted-attacks/
http://malware-log.hatenablog.com/entry/2013/05/09/000000_1

◆ゲーム会社への標的攻撃に使用された「WINNTI」ファミリ類似の亜種を確認 (Trendmicro, 2013/05/17)
http://blog.trendmicro.co.jp/archives/7252
http://malware-log.hatenablog.com/entry/2013/05/17/000000_1

◆Winnti trojan may help set stage for Skeleton Key attacks, analysts say (SC Media, 2015/01/29)
https://www.scmagazine.com/home/security-news/winnti-trojan-may-help-set-stage-for-skeleton-key-attacks-analysts-say/

◆Winnti Malware Gets into Pharmaceutical Business (Softpedia, 2015/06/23)
https://news.softpedia.com/news/winnti-malware-gets-into-pharmaceutical-business-485013.shtml

◆「MERS予防」装う標的型攻撃、「CHMファイル」に注意 (Security NEXT, 2015/06/30)
http://www.security-next.com/060001/2

◆'Suckfly' in the ointment: Chinese APT group steals code-signing certificates (SC Magazine, 2016/03/16)
https://www.scmagazine.com/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates/article/528968/
http://malware-log.hatenablog.com/entry/2016/03/16/000000_3

◆Suckfly: Revealing the secret life of your code signing certificates (Symantec, 2016/05/15)
https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

◆Indian organizations targeted in Suckfly attacks (Symantec, 2016/05/17)
https://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

◆Suckfly Cyber-Espionage Group Targets Indian Government and Private Companies (Softpedia, 2016/05/18)
http://news.softpedia.com/news/suckfly-cyber-espionage-group-targets-indian-government-and-private-companies-504183.shtml

◆Suckfly APT (XForce, 2016/06/03)
https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab

◆'Suckfly' in the ointment: Chinese APT group steals code-signing certificates (SC Magazine, 2016/03/16)
https://www.scmagazine.com/suckfly-in-the-ointment-chinese-apt-group-steals-code-signing-certificates/article/528968/

◆Suckfly Cyber-Espionage Group Targets Indian Government and Private Companies (Softpedia, 2016/05/18)
http://news.softpedia.com/news/suckfly-cyber-espionage-group-targets-indian-government-and-private-companies-504183.shtml

◆Indian organizations targeted in Suckfly attacks (Symantec, 2016/05/17)
https://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

◆インドの組織を狙う Suckfly (Symantec, 2016/05/19)
https://www.symantec.com/connect/nl/blogs/suckfly-2?page=1
http://malware-log.hatenablog.com/entry/2016/05/19/000000_3

◆Research claims CCLeaner attack carried out by Chinese-linked group (CyberScoop, 2017/10/02)
https://www.cyberscoop.com/ccleaner-attack-china-intezer-labs-piriform-apt17/

◆Bayer contains cyber attack it says bore Chinese hallmarks (ロイター, 2019/04/04 16:35)
https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN
http://malware-log.hatenablog.com/entry/2019/04/04/000000

◆ドイツの大手製薬会社バイエルにサイバー攻撃、「データ窃盗が行われた形跡はなし」 (ZDNet, 2019/04/05 11:26)
https://japan.zdnet.com/article/35135308/
http://malware-log.hatenablog.com/entry/2019/04/05/000000_2

◆中国政府支援のハッカー集団、仮想通貨取引所やゲーム企業をターゲットに=セキュリティ企業がレポート (CoinTelegraph, 2019/08/08)
https://jp.cointelegraph.com/news/chinese-govt-hackers-are-targeting-crypto-companies-report
https://malware-log.hatenablog.com/entry/2019/08/08/000000_6

◆中国政府が支援するハッカー集団を特定か、暗号通貨やゲーム業界が対象 (The Nodist, 2019/08/09)
https://jp.thenodist.com/articles/12094
https://malware-log.hatenablog.com/entry/2019/08/09/000000_1


【ブログ】

◆Winnti 1.0 technical analysis (SECURELIST, 2013/04/11)
https://securelist.com/winnti-1-0-technical-analysis/37002/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_7

◆The Winnti honeypot – luring intruders (SECURELIST, 2013/04/11)
https://securelist.com/the-winnti-honeypot-luring-intruders/35623/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_3

◆Winnti-Stolen Digital Certificates Re-Used in Current Watering Hole Attacks on Tibetan and Uyghur Groups (SECURELIST, 2013/04/12)
https://securelist.com/winnti-stolen-digital-certificates-re-used-in-current-watering-hole-attacks-on-tibetan-and-uyghur-groups-3/35692/
http://malware-log.hatenablog.com/entry/2013/04/12/000000_4

◆Winnti returns with PlugX (SECURELIST, 2013/04/15 12:30 GMT)
http://www.securelist.com/en/blog/208194224/Winnti_returns_with_PlugX
http://malware-log.hatenablog.com/entry/2013/04/15/000000_1

◆Backdoor Built With Aheadlib Used In Targeted Attacks? (Trendmicro, 2013/05/09)
http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-built-with-aheadlib-used-in-targeted-attacks/
http://malware-log.hatenablog.com/entry/2013/05/09/000000_1

◆Games are over: Winnti is now targeting pharmaceutical companies (Kaspersky, 2015/06/22 14:19)
https://securelist.com/games-are-over/70991/

◆I am HDRoot! Part 1 (SECURE LIST, 2015/10/06)
https://securelist.com/i-am-hdroot-part-1/72275/

◆PlugX malware: A good hacker is an apologetic hacker (SecureList, 2016/03/10 11:59)
https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/

◆Suckfly: Revealing the secret life of your code signing certificates (Symnatec, 2016/03/15)
https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

◆インドの組織を狙う Suckfly (Symantec, 2016/05/18)

Suckfly が、インドの政府機関と営利企業を標的にして、長期にわたるスパイ活動を展開しています。

https://www.symantec.com/connect/blogs/suckfly-2
http://malware-log.hatenablog.com/entry/2016/05/18/000000_4

◆インドの組織を狙う Suckfly (Symantec, 2016/05/19)
https://www.symantec.com/connect/nl/blogs/suckfly-2?page=1
http://malware-log.hatenablog.com/entry/2016/05/19/000000_3

◆Suckfly (Schneier on Security, 2016/05/26 06:31)
https://www.schneier.com/blog/archives/2016/05/suckfly.html

◆「WINNTI」、C&C通信にGitHubを悪用 (Trendmicro, 2017/03/30)
http://blog.trendmicro.co.jp/archives/14654

◆Of Pigs and Malware: Examining a Possible Member of the Winnti Group (Trendmicro, 2017/04/19)
https://blog.trendmicro.co.jp/archives/14794

◆サイバー犯罪者集団「WINNTI」に関与するメンバーを特定か (Trendmicro, 2017/04/27)
http://blog.trendmicro.co.jp/archives/14794
http://malware-log.hatenablog.com/entry/2017/04/27/000000_2

◆Meet CrowdStrike’s Adversary of the Month for July: WICKED SPIDER (CroudStrike, 2018/07/26)
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/
http://malware-log.hatenablog.com/entry/2018/07/26/000000_8

◆APT41:スパイ活動とサイバー犯罪の両方を遂行する双頭龍の攻撃者 (FireEye, 2019/08/08)
https://www.fireeye.jp/blog/jp-threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
https://malware-log.hatenablog.com/entry/2019/08/08/000000_7

【公開情報】

◆Winnti. More than just a game (SECURELIST, 2013/04/11) ☆☆
https://securelist.com/winnti-more-than-just-a-game/37029/
http://malware-log.hatenablog.com/entry/2013/04/11/000000_6

◆Backdoor.Winnti (Symantec, 2013/04/12)
https://www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2011-102716-2809-99&tabid=2
http://malware-log.hatenablog.com/entry/2013/04/12/000000_1

◆Winnti Backdoor Created with Aheadlib to Mimic Legitimate System Library (Softpedia, 2013/05/10)
https://news.softpedia.com/news/Winnti-Backdoor-Created-with-Aheadlib-to-Mimic-Legitimate-System-Library-352240.shtml
http://malware-log.hatenablog.com/entry/2013/05/10/000000_2

【資料】

■マルウェア・組織

◆Winnti (Kaspersky, 2013/04)
https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf
http://malware-log.hatenablog.com/entry/2013/04/01/000000_1

◆WINNTI ANALYSIS (NOVETTA)
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

◆Winnti Backdoor Created with Aheadlib to Mimic Legitimate System Library (Softpedia, 2013/05/10)
https://news.softpedia.com/news/Winnti-Backdoor-Created-with-Aheadlib-to-Mimic-Legitimate-System-Library-352240.shtml

◆Internet Infrastructure Review (IIR) Vol.23 (IIJ, 2014/05/28)
http://www.iij.ad.jp/company/development/report/iir/023/01_04.html


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019