Security researchers discover Linux version of Winnti malware

February 19, 2020
winnti malware linux antimalware chinese hackers

Winnti malware summary

Linux version of Winnti has discovered in the wild while investigating a recent cyber attack against a pharmaceutical giant. Winnti Windows predecessor has been used by Chinese cybercriminals for the past decade to launch attacks on systems worldwide. It is believed by security experts that several Advanced Persistent Threat (APT) groups operate under the Winnti umbrella including Winnti, Wicked Panda, ShadowPad, DeputDog, APT17, PassCV and others.



Analysis shows Linux variant contained a backdoor Trojan (libxselinux) and a library ( which is used to camouflage malware from detection. Linux variant handled outbound communications with its command-and-control (C&C) server — which was a mixture of multiple protocols (ICMP, HTTP, and custom TCP and UDP protocols).Finally, the Linux version also possessed another feature that was distinctive to the Windows version, which was the ability for Chinese hackers to initiate

connections to infected hosts without going through the C&C servers.



Sadly, there are no anti malware nor malware removal tool able to protect you unless employ security best practices listed below:

  • Use a firewall to drop all incoming connections from the Internet to services that should not be publicly available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Disable USB connections or other storage media, only allow when scanned and free of infection.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device’s visibility is set to “Hidden” so that it cannot be scanned by other Bluetooth devices.
  • Most importantly, Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.


About the author

Leave a Reply