Winnti Group Uses New PortReuse Malware Against Asian Manufacturer

Winnti Group hackers have updated their arsenal with a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

The hacking group's ShadowPad malware also received some updates, with random module IDs and some extra obfuscation being the most noteworthy additions according to ESET researchers who monitored the hackers' attacks throughout the year.

This Chinese state-backed threat group (tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye) has been active since at least 2011 when Kaspersky discovered the hackers' Winnti Trojan on a huge number of compromised gaming systems.

A supply chain attack against a video game developer was found to be behind this large scale attack, which led to the malware being distributed via a game's official update server.

New Windows backdoor used in attacks

ESET researchers who spotted the new malware dubbed PortReuse by Winnti Group also discovered that it is "a network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code."

Because PortReuse passively listens for a magic packet to activate it, this type of malware is also known as a passive network implant that will not interfere with legitimate traffic.

If it doesn't detect the packet designed to initiate its malicious behavior, PortReuse will not meddle with the compromised server's traffic and will automatically forward all uninteresting packets to the app that should receive them.

The backdoor malware is being dropped embedded in a .NET app designed to launch the Winnti packer shellcode, as a VB script that launches the shellcode using a .NET object, or in the form of "an executable that has the shellcode directly at the entry point."

PortReuse also has no need for command and control (C2) servers as it uses the NetAgent listener it injects in legitimate processes to wait for attackers to connect to the compromised servers.

"To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix," ESET says.

ESET researchers were also able to find several PortReuse ​​​​​​variants, each of them targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

Out of all variants detected, ESET was also able to spot one that stands out as being port-agnostic as "it parses the TCP header and triggers only if the source port is less than 22."

#ESETresearch: PortReuse uses techniques similar to the #Winnti malware, such as waiting for a magic packet and modular architecture, but is a different beast. https://t.co/7q5CAhMiP1 pic.twitter.com/VvEjsxmDFy

— ESET research (@ESETresearch) October 14, 2019

Compromised Asian manufacturer

ESET was able to detect one company whose servers were infected with a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a "GET request and inspecting the Server and Content-Length headers."

After seeing that using this approach will not affect the probed servers in any way, ESET's researchers "asked the help of Censys to perform an Internet-wide scan so to identify potential victims."

Following this large scale scan for compromised servers, ESET discovered eight infected machines with HTTP responses that matched the PortReuse signature discovered by the researchers.

"We found that all eight of these IP addresses belonged to a single organization: a major mobile hardware and software manufacturer based in Asia," says ESET. "We notified the company and are working with the victim to remediate."

"It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization," also add the researchers.

More details on the new and updated Winnti Group malware is available in ESET's blog post and their Winnti Group white paper.

Comments are closed.