China (Winnti Group/APT41): A new malware has been discovered and linked to the Chinese threat actor commonly tracked as the Winnti Group. The new malware has been named PortReuse and is a modular windows backdoor that is being used to infect high-profile servers for a mobile hardware and software manufacturer in Asia. The group has been active since 2011 when they were first discovered compromising gaming systems by Kaspersky. This newest report from researchers at ESET discovered that this newest backdoor is also a “network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code.” Commonly known as a passive network implant this malware will not interfere with legitimate traffic. If the magic packet is not received by PortReuse, the malware will pass the packets off to their respective applications from the server. PortReuse is dropped embedded in a .NET app which is designed to launch the Winnti packer shellcode which is a VB script that launches the Shellcode using .NET objects or as an executable that utilizes shellcode directly at the entry point. By using the Nt Agent listener for the malware, it injects in legitimate processes to wait for attackers to connect to the compromised servers which eliminate the need for any type of command and control infrastructure. ESET stated, “To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” Researchers also found many different variants that targeted different services and ports–including one in particular that stood out as port-agnostic because it parsed the TCP header and only triggered off of source ports that were less than 22. One company that was infected with a variant of the backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the server and Content-length headers.”
Analyst Notes
It is possible that by compromising this large of a manufacturing company, the group was planning on carrying out a major supply chain attack, which they have done in the past. Winnti is under the influence of the Chinese Government, but the attack on an Asian entity comes as no surprise as China has many questionable relationships throughout Asia. Researchers stated that they pulled out a signature and were using that to compare the different versions of the malware. Because of this, this malware should be able to be detected on a company’s network. Now that the malware has been discovered, the attackers may begin to make changes to it or completely scrap it and start developing a new one. It was not outlined how that malware initially made it into the system, but companies should have monitoring in place such as 24/7/365 SOC monitoring from Binary Defense to detect any type of malicious activity on their endpoints.
