Security experts at ESET revealed that Winnti Group continues to update its arsenal, they observed that the China-linked APT group using a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.
Researchers also discovered that the APT group used an updated version of its ShadowPad malware. The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.
The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad.
Experts analyzed recent supply chain attacks against the gaming industry in Asia and noticed the use of a unique packer in a backdoor dubbed PortReuse.
“After analyzing the custom packer used by the
In the attack against a video game developer, the malware was being distributed via a
The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).
The backdoor malware is being served in the following ways:
“The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” continues the analysis.
ESET was able to identify one company that was hit by a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the Server and Content-Length headers.” Using the Censys search engine the experts discovered eight infected machines belonging to the same organization having indicators of compromise that
The organizations is major mobile hardware and software manufacturer based in Asia, experts contacted it to alert the company of the infection.
“It is possible that the
“The Winnti Group is still very active in 2019 and continues to target both gaming and other industries. The update to the ShadowPad malware shows they are still developing and using it. The relatively new PortReuse malware also shows they update their arsenal and give themselves an additional way to compromise their victims for a long period of time.”
| [adrotate banner=”9″] ||[adrotate banner=”12″]|