With a new modular Windows backdoor, Winnti group hackers have upgraded their arsenal to infect servers from a highly-professional Asian mobile hardware and software manufacturer.

ShadowPad malware has also been added to the hacking group, with random modular IDs and some extra uncertainty being the most noticeable additions according to ESET researchers who have been monitoring hackers ‘ attacks all year round.

This Chinese state-based risk community (such as Symantec’s Blackfly and Suckfly, Wicked Panda’s CrowdStrike, Microsoft’s BARIUM, FireEye’s APT41), had been involved since Kaspersky exposed Winnti Trojan hackers on an enormous number of compromised gaming systems, at least in 2011.

A video game developer supply chain assault was found behind this large-scale attack, contributing to the malware being distributable via a game’s official update database.

Winnti Group artefacts and TTPs

Winnti Group artefacts and TTPs

New backdoor Windows used for attacks

Researchers from ESET, which spotted the latest malware known as PortReuse of the Winnti community, have also discovered that it is a “netz implant that is injecting itself into a system that already listens in a networking port, waiting for an incoming magic packet to trigger the malicious code.”

If the packet is not identified to trigger its malicious action, PortReuse will not interfere with the affected server’s traffic and will forward all uninteresting packets to the device that should receive them automatically.

The backdoor malware is dropped into an app called. NET, designed to launch the Winnti packer shellcode as a VB script that runs the shellcode with a.NET object, or as an “executable that has shellcode at its input point.” PortReuse also doesn’t need command and control (C2), because it uses the NetAgent listener that it injects into legitimate processes, so that it can wait.
PortReuse architecture

PortReuse architecture

“In order to decode incoming data to look for a magic packet, two strategies are used: hooking the reception feature (WSARecv or even the NtDeviceIoControlFile low level) or registering a handler to a specific URL resource on an IIS database by means of a URLPrefix using H5-0Addurl,” notes ESET.

In this sense, ESET scientists have also been able to find various PortReuse versions, each of which is configured for different ports and services such as TCP DNS (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Remote Management (5985).

Out of all detected variants, ESET also was able to detect one that is port-agnostic, as “it scans the TCP header and activates only if the source port is less than 22.”

Compromised producer of Asian goods

ESET could detect a company whose servers are infected with a version of the PortReuse backdoor that injects itself into Microsoft IIS using a GET request and checking Server and Content-Length headers. ESET researchers asked Censys to conduct an Internet test to detect the effects of the server on the sample.

“We find all eight of these IP addresses belonging to a single company: a leading Asian-based mobile hardware and software manufacturer,” said ESET. “We have informed the company and work to resolve the situation with the victims.” “It is possible that by undermining the enterprise, the Winnti Group is planning a devastating attack on the supply chain,” the prosecutors said.

Further information about the new and updated malware of the Winnti Group can be found in ESET’s blog post and in their Winnti Group White Paper.

Categorized in: