Security researchers at ESET reported on a new stealthy backdoor that uses Print Processors to achieve persistence, which means automatically starting every time the infected computer restarts. The technique is very similar to the Default Print Monitor persistence technique used by another malware downloader called DePriMon, but this variation has not been seen before. The malware first uses multiple methods to escalate its privilege level in order to have permission to save files in the Windows\System32\spool\prtprocs folder, where Windows Print Processors are located and modifies the registry for persistence. The malware was named “PipeMon” because it uses named pipes for inter-module communication. The Program Debug file path embedded in the malware executable shows that the malware developer likely used Microsoft Visual Studio and used the project name “Monitor” for this software. In the campaigns detected by ESET, the threat group targeted video game development companies in South Korea and Taiwan, which fits the profile of victims that the Winnti group has targeted in the past. Use of the same Command and Control (C2) domain names and a stolen digital certificate that the Winnti group used in previous attacks also contributed to the attribution of the new malware to the threat group.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in