Pierluigi Paganini October 15, 2019

Winnti Group is back with a new modular Win backdoor that was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Security experts at ESET revealed that Winnti Group continues to update its arsenal, they observed that the China-linked APT group using a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Researchers also discovered that the APT group used an updated version of its ShadowPad malware. The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad.

Experts analyzed recent supply chain attacks against the gaming industry in Asia and noticed the use of a unique packer in a backdoor dubbed PortReuse.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse.” reads the paper published by ESET. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant “

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

The backdoor malware is being served in the following ways:

• Embedded in a .NET application launching the initial Winnti packer;
• In a VB script that and invokes a .NET object that launches the;
• In an executable that has the directly at the entry point;

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

“The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” continues the analysis.

ESET was able to identify one company that was hit by a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the Server and Content-Length headers.” Using the Censys search engine the experts discovered eight infected machines belonging to the same organization having indicators of compromise that were matching the PortReuse infection.

The organizations is major mobile hardware and software manufacturer based in Asia, experts contacted it to alert the company of the infection.

“It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization,” conlcudes the analysis.

“The Winnti Group is still very active in 2019 and continues to target both gaming and other industries. The update to the ShadowPad malware shows they are still developing and using it. The relatively new PortReuse malware also shows they update their arsenal and give themselves an additional way to compromise their victims for a long period of time.”

Pierluigi Paganini

(SecurityAffairs – Winnti, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]