Winnti Group Resurfaces with PortReuse Backdoor, Now Engages in Illicit Cryptocurrency Mining

The Winnti group used a previously undocumented and unreported backdoor named PortReuse to compromise a high-profile, Asia-based mobile hardware and software manufacturer, presumably as a jump-off point for launching supply chain attacks. This is what researchers at ESET found after an in-depth analysis of the Winnti group’s operations.

PortReuse, a modular backdoor, is unique in that it doesn’t create processes to establish a connection with its Winnti-owned or controlled client like what many backdoors typically do. Instead, it rides on already open TCP ports by injecting itself into active, existing, and legitimate processes, reuses the ports, then waits for a “magic packet” (received data that is specific to the MAC address of a computer’s network card) before executing its malicious activities.  ESET’s Marc-Etienne M. Léveillé and Mathieu Tartare further explained in their report, “The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server.”

Of Pigs and Malware: Examining a Possible Member of the Winnti Group
We take a closer look at an individual who we believe might be connected to the Winnti group, we hope to give both ordinary users and organizations better insights into some of the tools – notably the server infrastructures- these kinds of threat actors use, as well as the scale in which they operate.

To obfuscate its trail, PortReuse only writes a single file to the computer’s disks, and the rest reside in the memory. It doesn’t have command-and-control (C&C) servers coded into the malware as it abuses NetAgent, a third-party utility, to handle how the malware listens on open ports. The malware also abuses VMProtect packer to deter analysis and reverse engineering.

Another significant detail they uncovered is the final payload of Winnti group’s supply chain attacks: a modified version of XMRig, an open-source cryptocurrency miner. This is unlike their previous campaigns, as the Winnti group is known for its cyberespionage operations. The researchers surmised that they use these cryptocurrency-mining operations to fund their infrastructures and operations.

Exposed Devices and Supply Chain Attacks:
Overlooked Risks in Healthcare Networks

Through this research, we sought to arm healthcare IT security teams with a broader perspective about the kinds of threats that they should defend their networks against, particularly exposed connected medical systems and devices, and supply chain cyberthreats.

The Winnti group — also known as APT41, BARIUM, and Blackfly, among other aliases — is tied to several supply chain attacks where a vendor’s legitimate online infrastructures are compromised in order to embed malware into their legitimate software.

The Winnti group is known for targeting the gaming industry, and has been involved in incidents such as the ShadowHammer backdoor that was embedded in an update utility tool; and ShadowPad, which was embedded into the PC cleanup tool CCleaner and NetSarang’s server management software. The Winnti malware, after which the group is named, has also undergone various updates over the years, including its abuse of Github as conduit for its C&C communications. In Léveillé and Tartare’s report, ShadowPad also underwent multiple updates this year, based on the timestamps of the samples.

The Cybercriminal Roots of Selling Online Gaming Currency
Buying online game currency from third parties may sound relatively harmless. Unfortunately, cybercriminals can actually profit off this legally-gray practice, and also use it as a way to launder their stolen money and fund further cybercrime efforts.

Supply chain attacks exploit the trust between vendors and customers. They pose significant security and privacy risks not only to the end users who inadvertently download and install trojanized software, but also to the enterprises that create and deliver the software.

Supply chain attacks also adversely affect the integrity and availability of the products or services enterprises provide. They can, for example, expose sensitive medical information — or even endanger patient health by disrupting operations — if carried out against a healthcare facility, or, in Magecart’s case, expose the customers’ personally identifiable information and financial data. The negative impact could also be exacerbated by the stringent penalties that enterprises can incur from data privacy regulations, such as the EU General Data Protection Regulation (GDPR).

Banks Under Attack:
Tactics and Techniques Used to Target Financial Organizations
Our continued forays into the cybercriminal underground allowed us to see how the tactics and techniques used to attack financial organizations changed over the years.

Here are some security recommendations that organizations can adopt to mitigate the risks posed by supply chain attacks:

  • Supervise and employ security controls not only to the organization’s own online infrastructures, but also to the third-party products or services being used.
  • Develop and enforce incident response strategies that can provide more visibility into the software, hardware, and components being used within the organization; this will enable organizations to better understand, manage, monitor, and mitigate the risks involved in third-party applications or software.
  • Proactively monitor the network: Firewalls and intrusion detection and prevention systems, for instance, help thwart network-based threats and detect anomalous or suspicious traffic.
  • Enforce the principle of least privilege through additional security mechanisms like network segmentation, data categorization, and restriction of administration tools that can be abused to gain a foothold into the systems.

The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats delivered via supply chain attacks through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats even without any engine or pattern update. Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and blocking all related malicious URLs.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.