Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Sigma rule (View on GitHub)
1title: Winnti Malware HK University Campaign
2id: 3121461b-5aa0-4a41-b910-66d25524edbb
3status: test
4description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
5references:
6 - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
7author: Florian Roth (Nextron Systems), Markus Neis
8date: 2020-02-01
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.stealth
15 - attack.t1574.001
16 - attack.g0044
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection1:
23 ParentImage|contains:
24 - 'C:\Windows\Temp'
25 - '\hpqhvind.exe'
26 Image|startswith: 'C:\ProgramData\DRM'
27 selection2:
28 ParentImage|startswith: 'C:\ProgramData\DRM'
29 Image|endswith: '\wmplayer.exe'
30 selection3:
31 ParentImage|endswith: '\Test.exe'
32 Image|endswith: '\wmplayer.exe'
33 selection4:
34 Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
35 selection5:
36 ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
37 Image|endswith: '\SearchFilterHost.exe'
38 condition: 1 of selection*
39falsepositives:
40 - Unlikely
41level: critical
References
-
ESET researchers have discovered a new campaign of the Winnti Group that deploys ShadowPad and Winnti malware to target universities in Hong Kong.
Read More
Related rules
- Winnti Pipemon Characteristics
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity