Decade of the RATs – Custom Chinese Linux Rootkits for Everyone

Conference:  BlackHat USA 2020



The presentation discusses the overlap between threat intelligence and investigative journalism in finding hidden truths and answering critical questions. The speaker provides concrete examples of how to think critically about malware analysis and spot cognitive biases.
  • Threat intelligence and investigative journalism share a focus on finding hidden truths and require attention to result in interesting narratives.
  • Both are motivated by the search for answers to critical questions.
  • The speaker found a significant amount of unnoticed Linux malware by looking behind and not solely focusing on what's new.
  • The malware consisted of an installer script, a remote build server, a root kit, and a backdoor.
  • The speaker discovered connections between the malware and five distinct Chinese APT groups that all targeted video game companies.
  • The speaker questions the perception of the botnet as a denial of service tool and speculates on its potential use for espionage.
  • The presentation highlights the lack of attention given to mobile malware by the security industry and the need to widen the lens in analyzing campaigns that integrate different forms of malware.
The speaker found that the Linux malware they discovered was being shared among five different Chinese APT groups that all targeted video game companies. The groups used the same device for rootkit functionality, the same string as an XOR key to obscure network traffic, and based their rootkits and botnets on similar modifications of the open-source SUDARUSI rootkit. The speaker speculates on the potential use of the botnet for espionage and questions the narrow perception of it as a denial of service tool.


While 2020 is the Year of the Rat for the Chinese, it's felt more like the Decade of the RATs. In this talk, I reveal a nearly decade-long, undetected, state-sponsored effort to strategically target the Linux servers that comprise the backbone of modern-day government and industry. Having discovered a full stack of handcrafted, tailored, Linux malware, from interactive installation script to kernel rootkits to the attacker's control panel, I was able to construct a rare and uniquely detailed narrative of a concerted espionage effort.The talk reveals how five Chinese APT groups that originally stemmed from the notorious WINNTI collective formed a Linux splinter cell. Set against the backdrop of recent, renewed efforts by the US Department of Justice to expose and prosecute Chinese espionage, the talk sheds light on a new and troubling chapter in an otherwise old story of Chinese IP theft - one that crosses into the Android and Windows platforms as well. The talk demonstrates how the attackers successfully preyed upon defender assumptions regarding the security of Linux, the treatment of Windows adware, and the overall deployment of security products and services. Finally, attendees will also encounter new and intriguing questions, including: Is a Chinese APT group behind the development of one of the most widely used, commercially available RATs for mobile?Is WINNTI responsible for the creation of the largest known Linux DDoS botnet?