China (Winnti Group/APT41): A new malware has been discovered and linked to the Chinese threat actor commonly tracked as the Winnti Group. The new malware has been named PortReuse and is a modular windows backdoor that is being used to infect high-profile servers for a mobile hardware and software manufacturer in Asia. The group has been active since 2011 when they were first discovered compromising gaming systems by Kaspersky. This newest report from researchers at ESET discovered that this newest backdoor is also a “network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code.” Commonly known as a passive network implant this malware will not interfere with legitimate traffic. If the magic packet is not received by PortReuse, the malware will pass the packets off to their respective applications from the server. PortReuse is dropped embedded in a .NET app which is designed to launch the Winnti packer shellcode which is a VB script that launches the Shellcode using .NET objects or as an executable that utilizes shellcode directly at the entry point. By using the Nt Agent listener for the malware, it injects in legitimate processes to wait for attackers to connect to the compromised servers which eliminate the need for any type of command and control infrastructure. ESET stated, “To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” Researchers also found many different variants that targeted different services and ports–including one in particular that stood out as port-agnostic because it parsed the TCP header and only triggered off of source ports that were less than 22. One company that was infected with a variant of the backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the server and Content-length headers.”
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.