The Winnti group used a previously undocumented and unreported backdoor named PortReuse to compromise a high-profile, Asia-based mobile hardware and software manufacturer, presumably as a jump-off point for launching supply chain attacks. This is what researchers at ESET found after an in-depth analysis of the Winnti group’s operations.
PortReuse, a modular backdoor, is unique in that it doesn’t create processes to establish a connection with its Winnti-owned or controlled client like what many backdoors typically do. Instead, it rides on already open TCP ports by injecting itself into active, existing, and legitimate processes, reuses the ports, then waits for a “magic packet” (received data that is specific to the MAC address of a computer’s network card) before executing its malicious activities. ESET’s Marc-Etienne M. Léveillé and Mathieu Tartare further explained in their report, “The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server.”
To obfuscate its trail, PortReuse only writes a single file to the computer’s disks, and the rest reside in the memory. It doesn’t have command-and-control (C&C) servers coded into the malware as it abuses NetAgent, a third-party utility, to handle how the malware listens on open ports. The malware also abuses VMProtect packer to deter analysis and reverse engineering.
Another significant detail they uncovered is the final payload of Winnti group’s supply chain attacks: a modified version of XMRig, an open-source cryptocurrency miner. This is unlike their previous campaigns, as the Winnti group is known for its cyberespionage operations. The researchers surmised that they use these cryptocurrency-mining operations to fund their infrastructures and operations.
The Winnti group — also known as APT41, BARIUM, and Blackfly, among other aliases — is tied to several supply chain attacks where a vendor’s legitimate online infrastructures are compromised in order to embed malware into their legitimate software.
The Winnti group is known for targeting the gaming industry, and has been involved in incidents such as the ShadowHammer backdoor that was embedded in an update utility tool; and ShadowPad, which was embedded into the PC cleanup tool CCleaner and NetSarang’s server management software. The Winnti malware, after which the group is named, has also undergone various updates over the years, including its abuse of Github as conduit for its C&C communications. In Léveillé and Tartare’s report, ShadowPad also underwent multiple updates this year, based on the timestamps of the samples.
Supply chain attacks exploit the trust between vendors and customers. They pose significant security and privacy risks not only to the end users who inadvertently download and install trojanized software, but also to the enterprises that create and deliver the software.
Supply chain attacks also adversely affect the integrity and availability of the products or services enterprises provide. They can, for example, expose sensitive medical information — or even endanger patient health by disrupting operations — if carried out against a healthcare facility, or, in Magecart’s case, expose the customers’ personally identifiable information and financial data. The negative impact could also be exacerbated by the stringent penalties that enterprises can incur from data privacy regulations, such as the EU General Data Protection Regulation (GDPR).
Here are some security recommendations that organizations can adopt to mitigate the risks posed by supply chain attacks:
The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats delivered via supply chain attacks through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats even without any engine or pattern update. Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and blocking all related malicious URLs.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.