Winnti Group Adds New Backdoor Dubbed ‘PortReuse’ to its Malware Arsenal

• Researchers determined that a VMProtected packer is used in the PortReuse backdoor.
• The Winnti Group has also updated the ShadowPad malware with changes that include the randomization of module identifiers.

What’s new?

Researchers from ESET have released new details about the Winnti Group which is known for its supply chain attacks.

A brief overview

The white paper released by ESET provides technical analysis of new malware strains used by the Winnti group. Researchers observed that the threat group has added a new backdoor dubbed PortReuse to its malware arsenal.

• Researchers determined that a unique packer is used in the PortReuse backdoor.
• After further analysis, they discovered a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim’s hard drive.
• Researchers noted that this is the same algorithm that was used by the second stage malware in the attacks against video game developers in 2018.
• They also observed another payload ‘ShadowPad malware’ with the same VMProtected packer.

More details about PortReuse and ShadowPad

The PortReuse backdoor does not use a C&C server. It waits for an incoming connection that sends a “magic” packet by injecting into an existing process to “reuse” a port that is already open. The backdoor employs two techniques to parse incoming data to search for the magic packet.

“To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix,” researchers said.

On the other hand, the ShadowPad malware retrieves the IP address and the protocol of the C&C server to use by parsing content from the Web set up by the attackers. Researchers noted that the Winnti Group has updated the ShadowPad malware with changes that include the randomization of module identifiers.