Researchers Discovered Winnti malware Linux version – Favorite hacking tools used by Beijing hackers


Security researchers for the first time have unveiled and analyzed Winnti’s Linux version, one of Beijing’s most popular hacking tools over the last decade.

The Linux version is a backdoor for infected hosts that has been discovered by security researchers from Chronicle, the Alphabet’s cyber-security division.

Chronicle says that this Linux variation was discovered after the news last month that Chinese hackers hit Bayer, one of the largest companies in the world, which found malware from the Winnti on its systems.

Chronicle said it found out what appeared to be a Linux version of Winnti from 2015 when it was used by a Vietnamese gaming company when screening for Winnti malware on its VirusTotal platform.

The malware they discovered was made up of two parts


Chronicle says, a root kit for hiding the malware and the actual backdoor Trojan on infected hosts.

Further analysis revealed that the code of the Linux version is similar to that of the Winnti 2.0 Windows as described in the Kaspersky Lab and Novetta reports.

Other Windows connections also contained the way that an Offbound Communications (C&C) server was handled by Linux variable— a mix of multiple protocols (ICMP, HTTP, custom TCP and UDP protocols).

The Linux version also featured a feature distinctive of the Windows version, which was that of making connections to infected hosts for Chinese hackers without using C&C server.

The Chronicle researchers said in a report published last week: “The operators can use this secondary communication channel if access is disrupted to the hard coded control servers.”


This discovery shows that state supported actors are not afraid to carry their Malware on any platform they believe is necessary. The Winnti Linux variant also shows.

Linux malware is known for state-linked hacker groups linked to US and Russian governments.

“Chinese APT specific tooling is rare, but not inaudible,” said Silas Cutler, Chronicle Reverse Engineering Lead, via email to ZDNet. “In the past, tools like HKdoor, Htran, and Derusbi all had linguistic variants.” However, malware like Linux, especially in Windows, is rare among national groups of hackers.

“The lower prevalence can be that Linux offers actors plenty of opportunity to’ live off the earth’ and thus unnecessary custom tooling,” Cutler told us.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.