15 October 2019

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

China-linked Winnti Group is still very active and continues to update its malware arsenal, with the newest addition being a modular Windows backdoor spotted by ESET researchers in recent supply chain attacks against the gaming industry in Asia. The backdoor named PortReuse was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer. The hacking group has also updated its flagship ShadowPad malware, with the randomization of module identifiers and some extra obfuscation techniques being the most notable changes.

Winnti Group tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye, and Group 72 by Cisco Talos is known for its espionage capability and targeted attacks. In March 2019, ESET warned about Winnti’s supply chain attacks targeting video game players in Asia and now the firm has published a new research on the group’s updated toolset.

The researchers believe that under the Winnti umbrella operate several APT groups based on the malware and techniques they use.

During the investigation of recent supply chain attacks against the gaming industry in Asia ESET research team noticed the use of a unique packer in a backdoor dubbed PortReuse which allowed them to find out how the malware is deployed on compromised hosts.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse,” the researchers said. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant.”

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, say the researchers, its components are separate processes that communicate through named pipes. ESET found multiple PortReuse variants with a different NetAgent but using the same SK3. Each observed variant was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

The researchers discovered eight IP addresses that replied with an HTTP response matching the signature of PortReuse. All of the addresses belonged a major mobile hardware and software manufacturer based in Asia, the team contacted the company to warn it about infection.

"It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization," the researchers added.

More extensive write-up on the new and updated Winnti Group malware is available in ESET's whitepaper.

Back to the list

Latest Posts

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

Researchers warn of a spike in TCP DDoS reflection attacks targeting large corporations

The list of latest victims includes Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.
12 November 2019
One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

One of the world’s most tech-savvy APT’s adds a new stealthy backdoor to its toolkit

Platinum group exploits Windows with hidden backdoor trojan mimicking common legitimate software.
11 November 2019
Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Attackers devised a new technique designed to bypass secure email gateways to deliver NanoCore RAT.
8 November 2019
Featured vulnerabilities
Spoofing attack in Microsoft Azure Stack
Medium Patched | 13 Nov, 2019
Privilege escalation in Windows Installer
Low Patched | 13 Nov, 2019
Information disclosure in Open Enclave SDK
Low Patched | 13 Nov, 2019