HDRoot Bootkit
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 359 |
First Seen: | October 7, 2015 |
Last Seen: | August 24, 2022 |
OS(es) Affected: | Windows |
PC security researchers have identified one of the main tools that is being used by the Winnti group, a hacking group based in China. The HDRoot Bootkit is an attack platform that is being used by this group in their attacks in Russia, South Korea and the United Kingdom. Since 2013, malware analysts have kept track of the activities of the Winnti group, a dedicated espionage ring targeting the gaming industry specifically to get game currency and information., The Winnti group has been attacking gaming companies since 2009 actively and, to date, more than thirty different companies have been hit, including several developers of some of the most popular online games.
Table of Contents
Some Information on HDRoot Bootkit Attacks and the Winnti Group
The Winnti group is situated in China and has been responsible for threat attacks all over the world. In the last few months, PC security researchers have uncovered evidence that the Winnti group has started to target companies beyond the gaming industry, focusing specifically on companies in the pharmaceutical and telecommunication industries. The HDRoot Bootkit is one of the main tools used by the Winnti group in their attacks. Identified by PC security analysts in attacks on organizations based in South Korea specifically, the HDRoot Bootkit is a threatening infection that was first developed nearly a decade ago, in 2006. PC security researchers suspect that the creator of HDRoot Bootkit joined Winnti when this group was created in 2009. However, it is also possible that the HDRoot Bootkit was acquired by purchasing it on the black market.
How the HDRoot Bootkit may be Used in Threat Attacks
The HDRoot Bootkit is used to deliver backdoor Trojans into the victim's computer. The HDRoot Bootkit also is used as a way to ensure that the threat persists on the victim's computer once it has been installed., VMProtect (a software used to protect source code from reverse engineering) was being used to protect the HDRoot Bootkit's code. The HDRoot Bootkit was digitally signed with a compromised digital certificate issued to Guangzhou YuanLuo Technology, a company based in China. This is a known compromised certificate that has been associated with the Winnti group before. One threatening aspect of the HDRoot Bootkit is that, when executed, it is read as if the HDRoot Bootkit were Microsoft's native Net Command 'net.exe,' even when running its sample.
PC security researchers have associated the HDRoot Bootkit with two specific backdoor Trojans. One has been closely associated with threat attacks in South Korea. However, there have been instances of this attack in Russia and the United Kingdom. Dating so far back, the HDRoot Bootkit infection is not particularly sophisticated. However, the Winnti group has relied on social engineering and experience, knowing where typical security breaches can be found and where organizations will take shortcuts in protecting their systems. The HDRoot Bootkit may be more effective in cases where targeted organizations have a small security team, or common user errors can be taken advantage of to deliver the HDRoot Bootkit. As has been demonstrated repeatedly, less sophisticated threats with effective delivery techniques may be more effective than complicated threat infections that are not backed with strong social engineering strategies.
Dealing with the HDRoot Bootkit Attacks
Prevention is a paramount aspect when dealing with the HDRoot Bootkit attacks. PC security researchers strongly recommend that organizations establish effective security procedures and close any possible vulnerabilities by installing strong security software that is fully updated at all times. The HDRoot Bootkit attacks may initiate from phishing emails and similar tactics. Because of this, making sure that employees are capable of detecting these kinds of email messages and social engineering tactics and responding appropriately is the best way to prevent these attacks and limit the effects of the HDRoot Bootkit on an organization's systems and data security.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.