Tech,Space,Gaming, and Science Fiction News to wet your whistle
Researchers Analyze the Linux Variant of Winnti Malware
Chronicle, the cybersecurity arm of Google's parent Alphabet, has identified and analyzed samples of the Winnti malware that have been designed specifically for the Linux platform.
Believed to be operating out of China, the Winnti group was initially discovered in 2012, but is believed to have been operating since at least 2009, targeting software companies, particularly those in the gaming sector, for industrial cyber-espionage purposes.
Recent reports suggested that various Chinese actors might be sharing tools, and the Winnti malware family too might have been used by multiple groups. The threat has been used in numerous attacks, with the most recent ones observed in April 2019.
The Linux version of Winnti, Chronicle's security researchers reveal, is comprised of the main backdoor (libxselinux) and a library (libxselinux.so) designed to hide the malicious activity on the infected system.
The same as other variants of the malware, the Linux iteration was designed to handle communication with the command and control (C&C) server, as well as the deployment of modules. Plugins commonly deployed support remote command execution, file exfiltration, and socks5 proxying on the host.
The libxselinux.so library, which is a copy of the open-source userland rootkit Azazel, but with some changes, registers symbols for multiple commonly used functions and modifies their returns to hide the malware's operations.
The Winnti-modified version of the rootkit keeps a list of process identifiers and network connections associated with the malware's activity.
When executed, the Winnti Linux variant's main backdoor decodes an embedded configuration that is similar in structure to the variant used in the Winnti 2.0 version of the Windows malware (detailed more than five years ago).
The analyzed sample's configuration included three command-and-control server addresses and two additional strings that Chronicle's security researchers believe to be campaign designators.
The identified Winnti Linux samples fall under three distinct campaign designators, but ranged from target names, geographic areas, industry, and profanity.
The malware uses multiple protocols for outbound communications, including ICMP, HTTP, and custom TCP and UDP protocols, a feature already documented in previous reports.
A function that hasn't received enough attention, however, allows the operators to initiate a connection directly to an infected host, without requiring a connection to a control server. This ensures that communication is still possible even when access to the hard-coded control servers is disrupted.
"Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts. This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts," the researchers explain.
Winnti-related activity, Chronicle notes, has been intensively analyzed by the security community, which attributed it to different codenamed threat actors that have already demonstrated their expertise in compromising Windows-based environments.
"An expansion into Linux tooling indicates iteration outside of their traditional comfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28's Linux XAgent variant," Chronicle concludes.
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Lenovo is announcing a pair of new laptops today, the Yoga 730 and Flex 14, both of which are seeing a number of small design tweaks and receiving Intel’s 8th gen processors. While there aren’t any major changes this year, the 730 is getting one notable improvement to help it stand out: it has built-in far-field mics so that it can support Alexa. The Yoga 730 is really similar to last year’s Yoga 720 : like all Yoga laptops, it has a touchscreen and can flip around into tablet mode; it starts with a price around $900 but can go much higher if you spec it out; and while it’s a well-made laptop with an aluminum body, it isn’t quite as slim or light as what Lenovo offers in its Yoga 900 series laptops. This year, the 730 has received a few... Continue reading… via The Verge - Tech Posts "http://ift.tt/2BQTs1c"