Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Find New Backdoor Used by Winnti Hackers

ESET security researchers were able to identify a new backdoor associated with the threat actor known as the Winnti Group.

ESET security researchers were able to identify a new backdoor associated with the threat actor known as the Winnti Group.

Around since at least 2009 and operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, the hacking group is believed to be operating out of China. The hackers mainly focus on industrial cyber-espionage, targeting aviation, gaming, pharmaceuticals, technology, telecommunication, and software development.

Dubbed PortReuse, the new backdoor associated with the group was discovered while investigating the custom packer used on payloads embedded in compromised video games and gaming applications. The malware features a modular architecture and was designed to inject into a running process already listening on a TCP port.

Designed to reuse an already opened port, the backdoor hooks the receiving functions and waits for a specific packet to start the malicious behavior. Also referred to as a passive network implant, the malware forwards the legitimate traffic to the real application.

The backdoor’s components are separate processes that communicate through named pipes, which allows it to reuse existing binary components and only replace those that need customization. PortReuse has no command and control (C&C) server, only a NetAgent listening on open sockets, meaning that the attackers need to connect directly to the host.

A launch file is written to disk, while the remaining backdoor components exist only in memory, ESET explains in a new report (PDF).

Identified modules include InnerLoader (targets a specific process to inject into), NetAgent (handles TCP hooking), SK3 module (decrypts and processes network traffic forwarded by NetAgent through the named pipe), and UserFunction and ProcTran (execute commands in other processes). In some cases, NetAgent and SK3 were merged.

The backdoor targets popular ports, including 53 (DNS over TCP), 80, 443, 3389 (Remote Desktop Protocol), and 5985 (Windows Remote Management). One variant parses the TCP header and triggers only if the source port is less than 22.

To date, ESET only found a single organization infected with this backdoor, namely a major mobile hardware and software manufacturer in Asia. The security researchers suggest that the Winnti Group could have been planning “a devastating supply-chain attack by compromising this organization.”

In some Winnti attacks, the victims were also compromised with a VMProtected DLL, and the PortReuse backdoor too was found in these droppers. Similarities with the VMProtected droppers used in Operation ShadowHammer allowed ESET to link the two attacks.

Previously, ShadowHammer was linked to ShadowPad, and ESET says it has found some additional evidence to connect Winnti to ShadowPad.

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Related: Researchers Analyze the Linux Variant of Winnti Malware

Related: Backdoors Found in Tools Used by Hundreds of Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.