Winnti Hackers Use GitHub to Control Botnet

Trend Micro security researchers continue to monitor a malware activity that was launched by Winnti a Chinese hackers group. This malware is constantly changing to target new systems and using some advanced technique such as using GitHub a popular repository for hosting source code.

Cybercriminals are using GitHub to drive the command and control (C&C) communications of their new coded backdoor. The Winnti group still uses RAT PlugX, which is very popular among Chinese hackers. The communication of this botnet is using an HTML page hosted on GitHub. The file contains encrypted IP addresses and port numbers of the C&C server. The information is encrypted by an algorithm which uses PlugX.

winnti GitHub HTML page sourced TrendMicro

The hacker group registered with GitHub on May 2016 and started to operate using this service in August 2016. Usually most corporate security systems and antivirus will have a DNS analytics where they have a database for good and bad links and if the endpoint will query a malicious/suspicious link this is going to be blocked and sys admin will make all security check on the affected host as it indicate an infection.

Using GitHub will not alert in similar situation cause this is a legitimate website that is used by many developers for hosting code and connection to HTML pages is normal action. This by the end will allow attacker to maintain presence on the network and the infected system will be constantly receiving update from C&C servers.

Notify of
Inline Feedbacks
View all comments