Winnti Gang starts Attacking Pharmaceutical & Telecom Businesses Too, Finds Kaspersky

According to Kaspersky the security company, the cyber-criminal gang widely employing its Winnti ware notoriously for spying on cyber space, industries particularly, software firms within the gaming business, of late was seen targeting big pharmaceutical and telecom companies too.

The security company names the new malicious software "HDRoot" taken from "HDD Rootkit" name of the original program, whose basis is one bootkit installer of 2006.

It would be interesting to know that HDRoot drew the notice of security researchers since the bootkit had for its protection VMProtect, an application bought and sold for safeguarding software from cracking or reversing. Moreover, certain hijacked digital certificate that some company in China was issued had been used to authorize the HDRoot. The same certificate Winnti earlier utilized for signing its wares.

HDRoot was further noticeable since it camouflaged the Net.exe functionality of Microsoft, quite possibly for eschewing suspicion at the end of security personnel.

Kaspersky explains that HDRoot looks like one module that enables attackers to acquire repeated and lasting admission into the targeted computer, while let backdoors be served.

Kaspersky employed dual techniques for determining how HDRoot installed two backdoors. One involved installing the backdoors with the aid of one hijacked svchost.exe process that anti-virus programs could detect. The other functioned like some memory-hosted exploit that could not be detected easily enough.

HDRoot's owners, in addition to taking precautionary steps, kept the bootkit hidden when it would first set the infection. Even more specifically, it wouldn't delay or block the operating system from starting. The bootkit disables Task Scheduler or Update services of Windows that stop working altogether, according to Kaspersky researchers.

But, HDRoot's sophistication rate is rather less.

According to Senior Security Researcher Dmitry Tarakanov at Kaspersky, the Winnti gang undertook risk as it's experienced with knowing what all traits must be concealed and what all can be ignored, since enterprises do not always deploy the best of protection measures. Also, in case of a small team of system administrators, the possibility of cyber-criminal operation going unnoticed gets still higher, Tarakanov adds. Securityaffairs.co reported this in news on October 7, 2015.

» SPAMfighter News - 10/15/2015