Friday, July 19, 2024

Winnti Hackers Group Launching New Malware via Supply-chain Attacks to Inject Backdoor in Windows

Researchers discovered a new malware campaign from the Winnti threat group that utilizes the supply-chain attacks with a new set of artifacts to inject a sophisticated backdoor in windows computers.

Winnti group activities are being monitored since 2013, since then it continuously targeting various private sectors including Aviation, Gaming, Pharmaceuticals, Software development, Telecommunication and Technology that resides in Asia.

Researchers from ESET uncovered a VMProtected packer that was used to deliver the backdoor called PortReuse using cipher and key generation technique and also it delivered another malware called shadowpad.

There are various artifacts are learned in this research and found that it using the same technique, events relationships, and code for the various targeted attacks.

Winnti group Arsenal Credits: ESET

Winnti group believed to be Aliases with different threat actors in the recent past including Winnti Umbrella, Axiom, Group 72, APT41, Blackfly, and Suckfly.

Also, it responsible for recently uncovered an operation called ShadowHammer that targeted the ASUS computer software update tool to inject a backdoor. 

This new research exposing the arsenal and methods of the Winnti Group that deliver the PortReuse backdoor on windows computers that deployed in a targeted organization network.

PortReuse Backdoor Activities

Researchers digging deeper into a custom packer that was uncovered in the previous report found the more executable files and believed to be used in supply-chain attacks using compromised software.

But actually they discovered a new listening-mode modular PortReuse backdoor that injects into a running process already listening on a TCP port.

Attackers used the following formats during the initial launch and only a single file is written to disk to start PortReuse:

  1. Embedded in a .NET application launching the initial Winnti packer shellcode 
  2.  In a VB script that deserializes and invokes a .NET object that launches the shellcode 
  3. In an executable that has the shellcode directly at the entry point 
Modular Architecture Credits: ESET

Later the custom packer decrypt and launch a first component  InnerLoader ( InnerLoader.dll ), also researchers able to extract the packer metadata. “The metadata from the packer, including absolute file path when it was packed”.

According to the ESET report, “ In the case of the .NET injector, InnerLoader targets a process called GameServer_NewPoker.exe and in the case of the VBS injector, it will look for a process listening on port 53 (DNS). These payloads are, again, packed using the same packer and are called NetAgent and SK3 according to the packer configuration. ”

PortReuse backdoor is targeting different commonly used ports including  53 (DNS over TCP), 80, 443, 3389 (RDP), and 5985 (Windows Remote Management).

In order to perform the network hook in targeted victims, the backdoor initially needs to inject into the running process.

ESET researchers were able to decrypt several payloads packed using this custom VMProtected packer and them that the payload was either the PortReuse backdoor or the ShadowPad malware.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles