Show vulnerabilities with patch / with exploit
15 October 2019

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia


Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

China-linked Winnti Group is still very active and continues to update its malware arsenal, with the newest addition being a modular Windows backdoor spotted by ESET researchers in recent supply chain attacks against the gaming industry in Asia. The backdoor named PortReuse was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer. The hacking group has also updated its flagship ShadowPad malware, with the randomization of module identifiers and some extra obfuscation techniques being the most notable changes.

Winnti Group tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye, and Group 72 by Cisco Talos is known for its espionage capability and targeted attacks. In March 2019, ESET warned about Winnti’s supply chain attacks targeting video game players in Asia and now the firm has published a new research on the group’s updated toolset.

The researchers believe that under the Winnti umbrella operate several APT groups based on the malware and techniques they use.

During the investigation of recent supply chain attacks against the gaming industry in Asia ESET research team noticed the use of a unique packer in a backdoor dubbed PortReuse which allowed them to find out how the malware is deployed on compromised hosts.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse,” the researchers said. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant.”

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, say the researchers, its components are separate processes that communicate through named pipes. ESET found multiple PortReuse variants with a different NetAgent but using the same SK3. Each observed variant was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

The researchers discovered eight IP addresses that replied with an HTTP response matching the signature of PortReuse. All of the addresses belonged a major mobile hardware and software manufacturer based in Asia, the team contacted the company to warn it about infection.

"It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization," the researchers added.

More extensive write-up on the new and updated Winnti Group malware is available in ESET's whitepaper.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020