Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Sigma rule (View on GitHub)
1title: Winnti Malware HK University Campaign
2id: 3121461b-5aa0-4a41-b910-66d25524edbb
3status: test
4description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
5references:
6 - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
7author: Florian Roth (Nextron Systems), Markus Neis
8date: 2020/02/01
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1574.002
13 - attack.g0044
14 - detection.emerging_threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection1:
20 ParentImage|contains:
21 - 'C:\Windows\Temp'
22 - '\hpqhvind.exe'
23 Image|startswith: 'C:\ProgramData\DRM'
24 selection2:
25 ParentImage|startswith: 'C:\ProgramData\DRM'
26 Image|endswith: '\wmplayer.exe'
27 selection3:
28 ParentImage|endswith: '\Test.exe'
29 Image|endswith: '\wmplayer.exe'
30 selection4:
31 Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
32 selection5:
33 ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
34 Image|endswith: '\SearchFilterHost.exe'
35 condition: 1 of selection*
36falsepositives:
37 - Unlikely
38level: critical
References
-
ESET researchers have discovered a new campaign of the Winnti Group that deploys ShadowPad and Winnti malware to target universities in Hong Kong.
Read More
Related rules
- Winnti Pipemon Characteristics
- APT27 - Emissary Panda Activity
- Potential PlugX Activity
- APT PRIVATELOG Image Load Pattern
- COLDSTEEL Persistence Service Creation