2 min

Tags in this article

, , , ,

Chronicle security researchers have discovered a Linux version of Winnti malware for the first time. According to Alphabet’s cyber security division, the Linux version acts as a backdoor for infected hosts, giving attackers access to compromised systems.

The Linux version would be very similar to the Windows version of the Winnti malware according to ZDNet that was discovered in 2015. It is a popular hacking tool that Beijing-hackers have used a lot in the past decade. The Windows version of the malware was previously used in the hack of a Vietnamese game company.


The discovered Linux variant consists of two parts: a rootkit component to hide the malware from infected hosts and the actual backdoor trojan. Chronicle discovered the new variant after it became known last month that Bayer, one of the world’s largest pharmaceutical companies, had been hit by Chinese hackers. Winnti malware was found on the systems.

During the subsequent scans of Winnti malware on the VirusTotal platform, Chronicle found that it was a Linux variant. There appeared to be a code similarity between the Linux version and the Winnti 2.0 Windows version. In addition, the Linux version, like the Windows version, includes a similar way in which outgoing communication is handled with its command-and-control (C&C) server. It is a mixture of multiple protocols, such as ICMP, HTTP and custom TCP and UDP protocols.

Agreements Windows variant

In addition, the Linux version also has a different function that was characteristic of the Windows version. Chinese hackers initiate connections to infected hosts without passing through the C&C servers. This secondary communication channel can be used by operators when access to the hard-coded control servers is disrupted, according to one of the researchers.

Linux malware is quite rare, although so-called nation-state hacker groups, linked to the American and Russian governments, are known for their use of Linux malware. Specific Linux tooling of Chinese advanced persistent threats (APTs) is rare, but not unheard of. In the past, tools such as HKdoor, Htran and Derusbi all had Linux versions, according to Silas Cutler, Reverse Engineering Lead at Chronicle.

Read also: South Korean government chooses Linux over Windows

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.