ESET security researchers were able to identify a new backdoor associated with the threat actor known as the Winnti Group.
Around since at least 2009 and operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, the hacking group is believed to be operating out of China. The hackers mainly focus on industrial cyber-espionage, targeting aviation, gaming, pharmaceuticals, technology, telecommunication, and software development.
Dubbed PortReuse, the new backdoor associated with the group was discovered while investigating the custom packer used on payloads embedded in compromised video games and gaming applications. The malware features a modular architecture and was designed to inject into a running process already listening on a TCP port.
Designed to reuse an already opened port, the backdoor hooks the receiving functions and waits for a specific packet to start the malicious behavior. Also referred to as a passive network implant, the malware forwards the legitimate traffic to the real application.
The backdoor’s components are separate processes that communicate through named pipes, which allows it to reuse existing binary components and only replace those that need customization. PortReuse has no command and control (C&C) server, only a NetAgent listening on open sockets, meaning that the attackers need to connect directly to the host.
A launch file is written to disk, while the remaining backdoor components exist only in memory, ESET explains in a new report (PDF).
Identified modules include InnerLoader (targets a specific process to inject into), NetAgent (handles TCP hooking), SK3 module (decrypts and processes network traffic forwarded by NetAgent through the named pipe), and UserFunction and ProcTran (execute commands in other processes). In some cases, NetAgent and SK3 were merged.
The backdoor targets popular ports, including 53 (DNS over TCP), 80, 443, 3389 (Remote Desktop Protocol), and 5985 (Windows Remote Management). One variant parses the TCP header and triggers only if the source port is less than 22.
To date, ESET only found a single organization infected with this backdoor, namely a major mobile hardware and software manufacturer in Asia. The security researchers suggest that the Winnti Group could have been planning “a devastating supply-chain attack by compromising this organization.”
In some Winnti attacks, the victims were also compromised with a VMProtected DLL, and the PortReuse backdoor too was found in these droppers. Similarities with the VMProtected droppers used in Operation ShadowHammer allowed ESET to link the two attacks.
Previously, ShadowHammer was linked to ShadowPad, and ESET says it has found some additional evidence to connect Winnti to ShadowPad.
Related: Researchers Link Several State-Sponsored Chinese Spy Groups
Related: Researchers Analyze the Linux Variant of Winnti Malware
Related: Backdoors Found in Tools Used by Hundreds of Organizations