APT (Targeted attacks)

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used. In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these files were samples of Winnti malware.

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

Kaspersky Lab’s experts published a research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

During our research on the Winnti group we have managed to discovered quite a considerable amount of Winnti samples targeting different gaming companies. With the help ofUsing thisat sophisticatedcomplicated malicious program cybercriminals gained remote access to infected workstations and then carried out further they activityed manually.

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named “Winnti”. According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry.

The favorite tool of the attackers has been malicious program we called “Winnti”. It has evolved since the first use, but we divide all variants into two generations: 1.x and 2.x. Our publication describes 1.0 variant of this tool.

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NFB), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the high level classification of the attack, Kaspersky Lab’s Global Research & Analysis Team performed a detailed technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

Earlier today, reports of a number of cyberattacks against various South Korean targets hit the news.

We’ve come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists. Together with our partner at AlienVault Labs, we analyzed these new exploits.

Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC. While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be

New Adobe PDFs exploiting CVE-2013-0640 drop sophisticated malware known as “MiniDuke”.

In partnership with researchers at AlienVault Labs, we ve analysed a series of targeted attacks against Uyghur Mac OS X users which took place during the past months.

A detailed list of industry standard “Indicators of compromise” for Red October.

Based on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects the victims

Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded