Light Dark
October 15, 2019 By David Bisson 2 min read

Researchers discovered that the Winnti Group used a new backdoor called PortReuse to target the gaming industry in Asia.

ESET came across the backdoor while investigating a series of supply chain attacks launched by the Winnti Group against Asia’s gaming industry. Over the course of that analysis, researchers found a unique packer and tried to determine whether it had been used in other attacks. This led them to discover that the packer actually functioned as a component of PortReuse.

Seeking to understand how PortReuse makes its way onto compromised hosts and communicates with its handlers, the researchers uncovered a VMProtected packer that decrypts position-independent code using RC5. They also observed that PortReuse doesn’t use a command-and-control (C&C) server. Instead, it injects itself into an existing process for the purpose of reusing that port so it can wait for incoming messages and send a “magic” packet.

A Closer Look at Recent Winnti Group Threat Activity

This is just the latest attempt by security researchers to better understand how Winnti Group operates. Many of these efforts have proven fruitful.

In March 2019, for instance, ESET first came across the payload that ultimately led it to PortReuse after spotting supply chain attacks that targeted two games and one gaming platform application. About a month later, Kaspersky Lab detected a supply chain attack against an Asian manufacturer; this campaign used a backdoor that was actually an updated version of ShadowPad, Winnti’s flagship backdoor. Then, in May, Chronicle identified a cluster of Winnti malware samples that specifically targeted Linux machines.

How to Defend Against a Backdoor Like PortReuse

Security researchers can help protect their organizations against a Winnti implant like PortReuse by using a unified endpoint management (UEM) tool to monitor how all assets interact with the IT environment and remediate any suspicious activity. Organizations should also seek to shield their data from the prying eyes of malware by obfuscating and encrypting the organization’s sensitive information.

David Bisson
Contributing Editor

More from

November 26, 2024

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

November 26, 2024

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

November 25, 2024

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature