Security researchers at ESET reported on a new stealthy backdoor that uses Print Processors to achieve persistence, which means automatically starting every time the infected computer restarts. The technique is very similar to the Default Print Monitor persistence technique used by another malware downloader called DePriMon, but this variation has not been seen before. The malware first uses multiple methods to escalate its privilege level in order to have permission to save files in the WindowsSystem32spoolprtprocs folder, where Windows Print Processors are located and modifies the registry for persistence. The malware was named “PipeMon” because it uses named pipes for inter-module communication. The Program Debug file path embedded in the malware executable shows that the malware developer likely used Microsoft Visual Studio and used the project name “Monitor” for this software. In the campaigns detected by ESET, the threat group targeted video game development companies in South Korea and Taiwan, which fits the profile of victims that the Winnti group has targeted in the past. Use of the same Command and Control (C2) domain names and a stolen digital certificate that the Winnti group used in previous attacks also contributed to the attribution of the new malware to the threat group.
Threat actors are constantly adapting their techniques to avoid detection by anti-virus and security analysts monitoring for unusual behavior on systems. The latest advances observed in the PipeMon malware could be used by other threat groups in addition to Winnti group to blend into the background “noise” of normal Windows printer installations. Threat hunters must pay attention to these new techniques and constantly adapt their techniques to search for and detect intrusions based on attacker behavior. The Binary Defense threat hunting team constantly researches new attacker techniques and adapts detections to match adversary capabilities.