Threat Database Trojans HDRoot Bootkit

HDRoot Bootkit

By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 359
First Seen: October 7, 2015
Last Seen: August 24, 2022
OS(es) Affected: Windows

PC security researchers have identified one of the main tools that is being used by the Winnti group, a hacking group based in China. The HDRoot Bootkit is an attack platform that is being used by this group in their attacks in Russia, South Korea and the United Kingdom. Since 2013, malware analysts have kept track of the activities of the Winnti group, a dedicated espionage ring targeting the gaming industry specifically to get game currency and information., The Winnti group has been attacking gaming companies since 2009 actively and, to date, more than thirty different companies have been hit, including several developers of some of the most popular online games.

Some Information on HDRoot Bootkit Attacks and the Winnti Group

The Winnti group is situated in China and has been responsible for threat attacks all over the world. In the last few months, PC security researchers have uncovered evidence that the Winnti group has started to target companies beyond the gaming industry, focusing specifically on companies in the pharmaceutical and telecommunication industries. The HDRoot Bootkit is one of the main tools used by the Winnti group in their attacks. Identified by PC security analysts in attacks on organizations based in South Korea specifically, the HDRoot Bootkit is a threatening infection that was first developed nearly a decade ago, in 2006. PC security researchers suspect that the creator of HDRoot Bootkit joined Winnti when this group was created in 2009. However, it is also possible that the HDRoot Bootkit was acquired by purchasing it on the black market.

How the HDRoot Bootkit may be Used in Threat Attacks

The HDRoot Bootkit is used to deliver backdoor Trojans into the victim's computer. The HDRoot Bootkit also is used as a way to ensure that the threat persists on the victim's computer once it has been installed., VMProtect (a software used to protect source code from reverse engineering) was being used to protect the HDRoot Bootkit's code. The HDRoot Bootkit was digitally signed with a compromised digital certificate issued to Guangzhou YuanLuo Technology, a company based in China. This is a known compromised certificate that has been associated with the Winnti group before. One threatening aspect of the HDRoot Bootkit is that, when executed, it is read as if the HDRoot Bootkit were Microsoft's native Net Command 'net.exe,' even when running its sample.

PC security researchers have associated the HDRoot Bootkit with two specific backdoor Trojans. One has been closely associated with threat attacks in South Korea. However, there have been instances of this attack in Russia and the United Kingdom. Dating so far back, the HDRoot Bootkit infection is not particularly sophisticated. However, the Winnti group has relied on social engineering and experience, knowing where typical security breaches can be found and where organizations will take shortcuts in protecting their systems. The HDRoot Bootkit may be more effective in cases where targeted organizations have a small security team, or common user errors can be taken advantage of to deliver the HDRoot Bootkit. As has been demonstrated repeatedly, less sophisticated threats with effective delivery techniques may be more effective than complicated threat infections that are not backed with strong social engineering strategies.

Dealing with the HDRoot Bootkit Attacks

Prevention is a paramount aspect when dealing with the HDRoot Bootkit attacks. PC security researchers strongly recommend that organizations establish effective security procedures and close any possible vulnerabilities by installing strong security software that is fully updated at all times. The HDRoot Bootkit attacks may initiate from phishing emails and similar tactics. Because of this, making sure that employees are capable of detecting these kinds of email messages and social engineering tactics and responding appropriately is the best way to prevent these attacks and limit the effects of the HDRoot Bootkit on an organization's systems and data security.


Most Viewed