Researchers from ESET have released new details about the Winnti Group which is known for its supply chain attacks.
A brief overview
The white paper released by ESET provides technical analysis of new malware strains used by the Winnti group. Researchers observed that the threat group has added a new backdoor dubbed PortReuse to its malware arsenal.
More details about PortReuse and ShadowPad
The PortReuse backdoor does not use a C&C server. It waits for an incoming connection that sends a “magic” packet by injecting into an existing process to “reuse” a port that is already open. The backdoor employs two techniques to parse incoming data to search for the magic packet.
“To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix,” researchers said.
On the other hand, the ShadowPad malware retrieves the IP address and the protocol of the C&C server to use by parsing content from the Web set up by the attackers. Researchers noted that the Winnti Group has updated the ShadowPad malware with changes that include the randomization of module identifiers.