APT

Winnti Group was planning a devastating supply-chain attack against Asian manufacturer

Winnti Group is back with a new modular Win backdoor that was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Security experts at ESET revealed that Winnti Group continues to update its arsenal, they observed that the China-linked APT group using a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Researchers also discovered that the APT group used an updated version of its ShadowPad malware. The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts analyzed recent supply chain attacks against the gaming industry in Asia and noticed the use of a unique packer in a backdoor dubbed PortReuse.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse.” reads the paper published by ESET. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant “

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

The backdoor malware is being served in the following ways:

  • Embedded in a .NET application launching the initial Winnti packer;
  • In a VB script that and invokes a .NET object that launches the;
  • In an executable that has the directly at the entry point;

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

“The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” continues the analysis.

ESET was able to identify one company that was hit by a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the Server and Content-Length headers.” Using the Censys search engine the experts discovered eight infected machines belonging to the same organization having indicators of compromise that were matching the PortReuse infection.

The organizations is major mobile hardware and software manufacturer based in Asia, experts contacted it to alert the company of the infection.

“It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization,” conlcudes the analysis.

“The Winnti Group is still very active in 2019 and continues to target both gaming and other industries. The update to the ShadowPad malware shows they are still developing and using it. The relatively new PortReuse malware also shows they update their arsenal and give themselves an additional way to compromise their victims for a long period of time.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Winnti, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Earth Krahang APT breached tens of government organizations worldwide

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70…

2 hours ago

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

14 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

16 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

22 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

1 day ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

1 day ago

This website uses cookies.