HELO, is that you? New challenges tracking Winnti activity

Thursday 3 October 11:30 - 12:00, Green room

Stefano Ortolani (Lastline)
Jason Zhang (Lastline)

Since its first attack discovered nearly a decade ago, Winnti has evolved into an advanced and sophisticated toolkit leveraged by several different actors such as PassCV, APT17, Axiom, LEAD and BARIUM, to name just a few. All these actors have been sharing core tactics, techniques and procedures (TTPs), leading to highly persistent implants targeting organizations ranging from the online gaming industry to high-tech companies around the globe. It comes as no surprise that security vendors and researchers are still scrutinizing and tracking this specific threat.

While no new campaign has been discovered since the one targeting German pharma companies in April 2019, since July 2019 we have been seeing a dramatic increase in network activities related to Winnti. It turns out that this telemetered traffic was due to external Winnti check-ins or ‘Winnti HELO’ packets sent out by non-malicious parties hoping to find hosts infected with the Winnti implant. This was made possible by ThyssenKrupp CERT, which recently released a set of open-source tools on GitHub that would detect and mimic Winnti HELO messages. The underlying logic is quite straightforward: a 16-byte-long message is sent to a candidate host (any destination port would work) and the replied message is checked to determine whether the implant is installed. This has allowed security companies and professionals to develop and deploy mass-scan agents that scout the Internet for infected hosts.

The idea of using mimicked ‘Winnti HELO’ messages does indeed ease the challenge of finding infected hosts, but it also introduces a new problem: noise. Since all publicly available signatures (like the Suricata IDS rule released in the aforementioned GitHub repository) flag a possible Winnti attack whenever they detect a ‘Winnti HELO’ message, each external scan now automatically translates to a new alert. Due to the dramatic increase in investigation-oriented traffic, the actual signal from real attacks is buried in the noise of scan traffic. This extremely low signal-to-noise ratio poses huge challenges for both investigators and clients. In particular:

  • Although it helps to disclose the number of implants that are present in a network, it impairs our ability to monitor the threat actors’ activity.
  • It also significantly slows down the triage of a network event in a SOC, unless more complex and expensive solutions are employed to deep-inspect the Winnti protocol.

To investigate the magnitude of this phenomenon and attempt to mitigate these challenges, we ran a large-scale analysis of all Winnti HELO traffic collected between June and August 2019 as detected by the publicly available IDS rule. We then inspected each PCAP and assessed whether the traffic was co-generated by the Winnti implant, or was just a by-product of legitimate services replying to (Winnti HELO) messages they could just not parse. While full traffic decryption is not possible as the key is always chosen by the originator of the scan (malicious or not), we devised a simple triage process that can considerably improve the processing of an alert, whether the check-in is successful or not, even in cases where the responding traffic is also encrypted. We also identified and documented all biggest ‘benign offenders’ of Winnti HELO scans, providing further aid to any triage process.

To summarize, in this talk we start with a brief overview of the implant’s life cycle from the Winnti toolkit. Then we present the last 90 days’ worth of internal telemetry data showing the dramatic increase in Winnti traffic from various sources, including some well-known scanners and many unknown IP addresses as well as random cloud-based virtual boxes, and demonstrate why this is a challenging problem for both researchers and customers. Finally, we provide a deep dive on the issue, share our findings and propose an effective triage process that could benefit the whole security community.

 Related links



Stefano Ortolani

Stefano Ortolani is Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. He spends his time researching bespoke approaches to investigate and classify cyber tradecraft, and making sure none are left uncharted. Contributor to product development, he is also a regular speaker at technical conferences. Prior to that he was part of the Global Research and Analysis Team at Kaspersky Lab, in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies, as well as conducting research of the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam.



Jason Zhang

Jason Zhang recently joined Lastline as a senior threat researcher. As a highly motivated cyber threat researcher and a proven product and technology pioneer, Jason has a wealth of experience in technology, product R&D. He has been a speaker at many events including Black Hat, InfoSec, Hacktivity and IEEE Workshops. It's no surprise that Jason's work has been reported by leading IT/cybersecurity news websites including The Register, eWeek, IDG, Focus, ZDNet, SC Magazine and PC Magazine. Prior to joining Lastline, Jason worked at MessageLabs (then Symantec) and Sophos with various research roles after earning a Ph.D. in digital signal processing from King's College London & Cardiff University. As an innovator and a passionate advocate of technology and innovation, Jason constantly looks into business improvement from both strategic and operational perspectives, and transforms engineering ideas into solutions and products. Jason initiated an innovative AI/ML project at Sophos, which successfully leverages heuristic rules statistically for malware detection. The proposed approach significantly outperforms major commercial anti-virus scanners and exhibits great commercial value. Part of the work has been published at Black Hat Asia 2019.

Apart from his professional career, Jason cares about charity and disaster/humanitarian relief. In 2008 he set up a donation appeal for Chinese earthquake at MessageLabs (now part of Symantec) and raised over $6000 for earthquake victims.

   Download slides

Back to VB2019 Programme page

Other VB2019 papers

Kimsuky group: tracking the king of the spear-phishing

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

Static analysis methods for detection of Microsoft Office exploits

Chintan Shah (McAfee)

Panel: Where is threat intelligence headed?

Derek Manky (Fortinet)
Samir Mody (K7 Computing)
Heather King (CTA)
Warren Mercer (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.