China-linked Winnti Group is still very active and continues to update its malware arsenal, with the newest addition being a modular Windows backdoor spotted by ESET researchers in recent supply chain attacks against the gaming industry in Asia. The backdoor named PortReuse was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer. The hacking group has also updated its flagship ShadowPad malware, with the randomization of module identifiers and some extra obfuscation techniques being the most notable changes.
Winnti Group tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye, and Group 72 by Cisco Talos is known for its espionage capability and targeted attacks. In March 2019, ESET warned about Winnti’s supply chain attacks targeting video game players in Asia and now the firm has published a new research on the group’s updated toolset.
The researchers believe that under the Winnti umbrella operate several APT groups based on the malware and techniques they use.
During the investigation of recent supply chain attacks against the gaming industry in Asia ESET research team noticed the use of a unique packer in a backdoor dubbed PortReuse which allowed them to find out how the malware is deployed on compromised hosts.
“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse,” the researchers said. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant.”
In the attack against a video game developer, the malware was being distributed via a game’s official update server.
The PortReuse backdoor has a modular architecture, say the researchers, its components are separate processes that communicate through named pipes. ESET found multiple PortReuse variants with a different NetAgent but using the same SK3. Each observed variant was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).
PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.
The researchers discovered eight IP addresses that replied with an HTTP response matching the signature of PortReuse. All of the addresses belonged a major mobile hardware and software manufacturer based in Asia, the team contacted the company to warn it about infection.
"It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization," the researchers added.
More extensive write-up on the new and updated Winnti Group malware is available in ESET's whitepaper.