Winnti Group Playing the Long-Term Game

A new modular backdoor - PipeMon - was discovered this year in February. This was used by the Winnti group, as a Print Processor.

What is happening

The backdoor was used by the Winnti group against various video gaming companies based in Taiwan and South Korea and develop Massively Multiplayer Online (MMO) games. These video games have thousands of simultaneous players. 

Recent attacks

  • At least in one case, the group compromised a user’s build system leading to a supply-chain attack. 
  • Taiwanese authorities have claimed that the Winnti group was behind a ransomware attack on Taiwan’s state oil company. 
  • The Winnti group has been active since 2012 and is responsible for the propagation of trojanized software, such as CCleaner and ASUS LiveUpdate.
  • It was also discovered that a campaign of the group was targeting Hong Kong universities with Winnti and ShadowPad malware.  

Worth noting

  • PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective technique.
  • The backdoor’s configuration is encrypted and embedded in the loader DLL.
  • Some machines compromised with PipeMon were also found to have a custom AceHash build signed with a Wemade IO stolen certificate.

In essence

The new implant reveals that the Winnti group is completely functional and actively developing new tools using open-source projects. They are not dependent on just Winnti and ShadowPad malware.