Linux version of Winnti malware found

News
By
published

Linux variant of Winnti dates back to 2015

Image credit: Pixabay

Security researchers from Alphabet's cybersecurity firm Chronicle have discovered a Linux version of the Winnti malware while investigating a recent cyberattack carried out against the pharmaceutical giant Bayer.

According to the researchers, the code contained within the Linux variant resembles the Winnti 2.0 Windows version which has been used by Chinese cybercriminals for the past decade to launch attacks on systems worldwide.

It is believed by security experts that several Advanced Persistent Threat (APT) groups operate under the Winnti umbrella including Winnti, Wicked Panda, ShadowPad, DeputDog, APT17, PassCV and others.

All of these groups have used similar strategies and techniques in the past and have even shared parts of the same hacking infrastructure.

Linux variant of Winnti

According to Chronicle, the Linux version of Winnti is designed to work as a backdoor on infected hosts which gives hackers the ability to access the compromised system.

The researchers first discovered the existence of the Linux version while attempting to look for Winnti malware samples on the company's VirusTotal platform.

After analyzing the Linux variant, Chronicle discovered that it dated back to 2015 and contained a backdoor Trojan (libxselinux) and a library (libselinux.so) which is used to hide the malware from detection.

In their blog post, the researchers provided further details on how the Linux version of Winnti functions, saying:

“As with other versions of Winnti, the core component of the malware doesn’t natively provide the operators with distinct functionality. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. During our analysis, we were unable to recover any active plugins. However, prior reporting suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux.”

Via The Inquirer

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – Elon Musk confirms 'massive cyberattack' as former Twitter site hit by fourth outage today
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
Person using Dyson V8 vacuum
Dyson vacuums have one big problem and I don't understand why
A laptop on a desk with the Windows 11 background on its screen.
Microsoft is adding image editing and compression to its Windows Share feature - and I couldn't be happier
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
An AMD Radeon RX 9070 XT vs RX 9070 against a red two-tone background

AMD RX 9070 XT vs 9070: Which RDNA 4 GPU should you buy?
See more latest
Most Popular
Person using Dyson V8 vacuum
Dyson vacuums have one big problem and I don't understand why
Glowing server racks inside a data center.
The dirty little secret about AI hardware that you should know about: server vendors have to wrestle with wafer thin margins and bigger customers
Joe Goldberg and Kate Lockwood sitting at a table and looking at the camera in You season 5.
Netflix releases a killer new trailer for You season 5 but my favorite character is missing from Joe's final chapter
Google Maps
Nightmare Google Maps glitch is deleting timelines, and there isn't a fix yet
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A laptop on a desk with the Windows 11 background on its screen.
Microsoft is adding image editing and compression to its Windows Share feature - and I couldn't be happier
A screen shot from a promotional video showing the HealthBuds fitness tracking earphones from Synseer
These mysterious wireless earbuds claim to monitor your heart and hearing health simultaneously, but there’s a catch
Homepage of Manus, a new Chinese artificial intelligence agent capable of handling complex, real-world tasks, is seen on the screen of an iPhone.
Manus AI may be the new DeepSeek, but initial users report problems
AdGuard VPN during TechRadar tests
AdGuard becomes the latest VPN to add post-quantum encryption
Twitter social media application change logo to X. Elon Musk CEO of twitter rebranded Twitter to 'X'. Social media application technology concept.
X is down again – Elon Musk confirms 'massive cyberattack' as former Twitter site hit by fourth outage today