PipeMon is a modular backdoor that is signed with a certificate belonging to a video game company, which was compromised by Winnti group in 2018. Researchers at ESET discovered this backdoor used in attacks on companies in South Korea and Taiwan that develop popular Massively Multiplayer Online games. They named the backdoor PipeMon because the malware author used “Monitor” as the name of the Visual Studio project, and multiple named pipes were used for inter-module communication. Every observed module exhibits different functionalities, and it is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. During the installation, the loader drops the malware into Windows Print Processors folder and setup.dll registers the malicious DLL loader as an alternative Print Processor.
The Winnti group has been active since at least 2011 targeting primarily the video game and software industry with rare attacks on the healthcare and education sectors. They are infamous for high-profile supply-chain attacks and trojanizing popular software. Their operation ShadowHammer affected tens of thousands of systems around the world, and last fall, the Winnti group used PortReuse malware in the attack on a major mobile hardware and software manufacturer based in Asia. During the investigation of the latest campaign, researchers discovered at least one instance where the group was able to compromise an organization’s build system and had the possibility to plant malware inside the video game executable.
Threat Hunting rule by Ariel Millahuel enables your security solution to detect the registration of PipeMon modular backdoor as an alternative Print Processor: https://tdm.socprime.com/tdm/info/3iqBPbAHTzrB/huahUHIBv8lhbg_icOaz/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio,
EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Defense Evasion
Techniques: Modify Registry (T1112), Obfuscated Files or Information (T1027)
Actors: Winnti Group
More Threat Hunting Content on our blog: https://socprime.com/tag/threat-hunting-content/