By 
Security researchers, for the first time, have revealed and evaluated a Linux variant of Winnti, one of the desired hacking tools used by Beijing hackers in the last few years.
Alphabet’s cyber-security division, revealed by security researchers from Chronicle, the Linux version of the Winnti malware works as an entrance on infected hosts, yielding attackers access to negotiated systems.
Chronicle says it revealed this Linux variant after news broke last month that Chinese hackers had hit Bayer, one of the world’s major pharmaceutical companies, and the Winnti malware was revealed on its systems.
During ensuing images for Winnti malware on its VirusTotal platform, Chronicle said it spotted what seemed to be a Linux variant of Winnti, dating back to 2015 when it was used in the hack of a Vietnamese gaming company.
Chronicle says the malware they revealed was made up of two parts. A rootkit component to hide the malware on infected hosts, and the actual backdoor trojan.
Additional examination discovered code similarities between the Linux version and the Winnti 2.0 Windows version, as stated in reports by Kaspersky Lab and Novetta.
Finally, the Linux version also owned another feature that was typical to the Windows version, which was the capacity for Chinese hackers to begin connections to infected hosts without undergoing the C&C servers.
“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted,” Chronicle researchers said in a report published last week.
The finding of this Winnti Linux variant also demonstrates that state-sponsored actors won’t recoil from porting their malware to any platform they feel obligatory.
“Linux specific tooling from Chinese APTs is rare but not unheard of,” Silas Cutler, Reverse Engineering Lead at Chronicle, told ZDNet via email. “Historically, tools such as HKdoor, Htran, and Derusbi all had Linux variants.”
But despite this, Linux malware is quite rare among nation-state hacking groups, as a whole, especially when compared to Windows tools.
“The lower prevalence may be because Linux provides ample opportunity for actors to ‘live off the land’ which renders customized tooling unnecessary,” Cutler told us.
