# Games are over: Winnti is now targeting pharmaceutical companies **securelist.com/games-are-over/70991/** [APT reports](https://securelist.com/category/apt-reports/) [APT reports](https://securelist.com/category/apt-reports/) 22 Jun 2015 minute read ----- Authors [Dmitry Tarakanov](https://securelist.com/author/dmitryt/) [For a long time the Winnti group had been considered as a Chinese threat actor targeting](https://securelist.com/winnti-more-than-just-a-game/37029/) gaming companies specifically. Recently, we’ve seen information indicating that the scope of targets can be wider and is no longer limited to the entertainment business. We actually track samples of Winnti malware all the time, but so far we haven’t been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have included telecommunication companies, or better, large holdings, but it seems that at least one of their businesses was in some way related to the production or distribution of computer games. In April [Novetta released its excellent report on the Winnti malware spotted in the operations](http://www.novetta.com/2015/04/operation-smn-winnti-update/) of [Axiom group. The Axiom group has been presented as an advanced Chinese threat actor](http://www.isightpartners.com/2014/10/operation-smn-axiom-group/) carrying out cyber-espionage attacks against a whole range of different industries. For us, the Novetta report was another source of intelligence that Winnti was already expanding beyond online games. One of the recent Winnti samples we found appears to confirm this as well. The new sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name _w64.dll and the exported functions work_end and work_start. Since, as usual, this_ component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library ----- includes two drivers compiled on August 22 and September 4, 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical **company headquartered in Europe:** **_Pic.1 Configuration block_** Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised: _C:\Windows\TEMP\tmpCCD.tmp_ _ServiceAdobe.dll_ _ksadobe.dat_ One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a **stolen certificate of a division of a huge Japanese conglomerate. Although this division** is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs as well as medical equipment. Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma companies. Here are the samples in question: **_8e61219b18d36748ce956099277cc29b – Backdoor.Win64.Winnti.gy_** **_5979cf5018c03be2524b87b7dda64a1a – Backdoor.Win64.Winnti.gf_** **_ac9b247691b1036a1cdb4aaf37bea97f – Rootkit.Win64.Winnti.ai_** [APT](https://securelist.com/tag/apt/) [Cyber espionage](https://securelist.com/tag/cyber-espionage/) [Digital Certificates](https://securelist.com/tag/digital-certificates/) [Malware](https://securelist.com/tag/malware/) ----- [Winnti](https://securelist.com/tag/winnti/) Authors [Dmitry Tarakanov](https://securelist.com/author/dmitryt/) Games are over: Winnti is now targeting pharmaceutical companies Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm ## GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm 22 Jul 2020, 2:00pm From the same authors ## PlugX malware: A good hacker is an apologetic hacker ----- ## I am HDRoot! Part 2 I am HDRoot! Part 1 ----- ## The Inevitable Move – 64-bit ZeuS Enhanced With Tor The rush for CVE-2013-3906 – a Hot Commodity Subscribe to our weekly e-mails The hottest research right in your inbox ----- Reports ## APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. ## Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. ## MoonBounce: the dark side of UEFI firmware ----- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. ## The BlueNoroff cryptocurrency hunt is still on It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----