PortReuse Malware Discovered in Recent Winnti Campaign

Delaware, USA – October 16, 2019 – Chinese cyber espionage group Winnti used a new Windows backdoor in the attack on a major mobile hardware and software manufacturer based in Asia. ESET team discovered PortReuse malware during an investigation of supply-chain attacks conducted by the group. The researchers found that the attackers used the same packer as in some past attacks, including the campaign targeted at game developers. Analysis of PortReuse backdoor and subsequent scanning of the Internet in search of infected servers revealed the target of the malicious campaign. ESET suggests that Winnti was preparing another massive supply-chain attack, similar to the Operation Shadowhammer. PortReuse malware is a passive network implant that doesn’t affect on regular traffic, it injects code into a process that is listening on a network port and waits for an incoming specific packet to trigger the malicious code. Such a backdoor does not need command-and-control infrastructure and provides attackers with access to the server from any IP address from which the activating “sleeping agent” packet will be sent. ESET team discovered several versions of PortReuse, each of which is designed for a specific port or service, including RDP, HTTPS, HTTP, and DNS.

The researchers also found that attackers are updating their other tools, such as the ShadowPad backdoor that was used in many campaigns. Chinese groups are now actively conducting campaigns not only in Asian region. Crowdstrike cybersecurity firm reports about large-scale operation aimed at aerospace-related targets worldwide using PlugX and Winnti malware. You can find out more about the techniques used by the group and the rules for their detection in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/