ESET researchers who spotted the new malware dubbed PortReuse by Winnti Group also discovered that it is "a network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code."
Because PortReuse passively listens for a magic packet to activate it, this type of malware is also known as a passive network implant that will not interfere with legitimate traffic.
If it doesn't detect the packet designed to initiate its malicious behavior, PortReuse will not meddle with the compromised server's traffic and will automatically forward all uninteresting packets to the app that should receive them.
The backdoor malware is being dropped embedded in a .NET app designed to launch the Winnti packer shellcode, as a VB script that launches the shellcode using a .NET object, or in the form of "an executable that has the shellcode directly at the entry point."
Winnti Group hackers have updated their arsenal with a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.
ESET researchers describe updates to the malware arsenal and campaigns of the Winnti Group known for its supply-chain attacks.