WINNKIT Rootkit

WINNKIT is the name of one of the components used in a multi-stage, complex attack pattern used by the Winnti advanced persistent threat actor.

The Winnti group threat actor is also sometimes referred to as APT41. According to security researchers, this is a Chinese-speaking hacker collective, allegedly working with the Chinese intelligence services and specializing in cyber espionage.

The attacks that use WINNKIT are incredibly complex and use a number of different tools in the same attack, with the ultimate goal of installing the WINNKIT malicious kernel and rootkit on the victim system.

The other tools used in the attack include a backdoor called Spyder, STASHLOG, and SPARKLOG - two tools used to stash malicious encrypted payloads inside the Windows CLFS or "common log file system", and finally PRIVATELOG and DEPLOYLOG - tools that unpack each other, with DEPLOYLOG ultimately unpacking the WINNKIT rootkit.

WINNKIT is a driver that acts like a rootkit. The malware has a staggeringly low detection rate and is able to intercept TCP/IP requests, acting like a kernel-mode agent on the infected system.

To make detection even more difficult, WINNKIT uses an expired BenQ signature. This helps the malware get around the Windows driver signature enforcement mechanism.

WINNKIT has a number of plugins that are injected in the legitimate Windows svchost process and are used to further advance the malware's evasion capabilities. Different modules have different purposes, ranging from the ability to kill processes on the victim machine to giving Winnti remote desktop access to the compromised system.