Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Sigma rule (View on GitHub)
1title: Winnti Malware HK University Campaign
2id: 3121461b-5aa0-4a41-b910-66d25524edbb
3status: test
4description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
5references:
6 - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
7author: Florian Roth (Nextron Systems), Markus Neis
8date: 2020-02-01
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1574.001
15 - attack.g0044
16 - detection.emerging-threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection1:
22 ParentImage|contains:
23 - 'C:\Windows\Temp'
24 - '\hpqhvind.exe'
25 Image|startswith: 'C:\ProgramData\DRM'
26 selection2:
27 ParentImage|startswith: 'C:\ProgramData\DRM'
28 Image|endswith: '\wmplayer.exe'
29 selection3:
30 ParentImage|endswith: '\Test.exe'
31 Image|endswith: '\wmplayer.exe'
32 selection4:
33 Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
34 selection5:
35 ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
36 Image|endswith: '\SearchFilterHost.exe'
37 condition: 1 of selection*
38falsepositives:
39 - Unlikely
40level: critical
References
-
ESET researchers have discovered a new campaign of the Winnti Group that deploys ShadowPad and Winnti malware to target universities in Hong Kong.
Read More
Related rules
- Winnti Pipemon Characteristics
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity