Researchers discovered that the Winnti Group used a new backdoor called PortReuse to target the gaming industry in Asia.

ESET came across the backdoor while investigating a series of supply chain attacks launched by the Winnti Group against Asia’s gaming industry. Over the course of that analysis, researchers found a unique packer and tried to determine whether it had been used in other attacks. This led them to discover that the packer actually functioned as a component of PortReuse.

Seeking to understand how PortReuse makes its way onto compromised hosts and communicates with its handlers, the researchers uncovered a VMProtected packer that decrypts position-independent code using RC5. They also observed that PortReuse doesn’t use a command-and-control (C&C) server. Instead, it injects itself into an existing process for the purpose of reusing that port so it can wait for incoming messages and send a “magic” packet.

A Closer Look at Recent Winnti Group Threat Activity

This is just the latest attempt by security researchers to better understand how Winnti Group operates. Many of these efforts have proven fruitful.

In March 2019, for instance, ESET first came across the payload that ultimately led it to PortReuse after spotting supply chain attacks that targeted two games and one gaming platform application. About a month later, Kaspersky Lab detected a supply chain attack against an Asian manufacturer; this campaign used a backdoor that was actually an updated version of ShadowPad, Winnti’s flagship backdoor. Then, in May, Chronicle identified a cluster of Winnti malware samples that specifically targeted Linux machines.

How to Defend Against a Backdoor Like PortReuse

Security researchers can help protect their organizations against a Winnti implant like PortReuse by using a unified endpoint management (UEM) tool to monitor how all assets interact with the IT environment and remediate any suspicious activity. Organizations should also seek to shield their data from the prying eyes of malware by obfuscating and encrypting the organization’s sensitive information.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…