silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,147
ESET researchers who spotted the new malware dubbed PortReuse by Winnti Group also discovered that it is "a network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code."
Because PortReuse passively listens for a magic packet to activate it, this type of malware is also known as a passive network implant that will not interfere with legitimate traffic.
If it doesn't detect the packet designed to initiate its malicious behavior, PortReuse will not meddle with the compromised server's traffic and will automatically forward all uninteresting packets to the app that should receive them.
The backdoor malware is being dropped embedded in a .NET app designed to launch the Winnti packer shellcode, as a VB script that launches the shellcode using a .NET object, or in the form of "an executable that has the shellcode directly at the entry point."
Winnti Group Uses New PortReuse Malware Against Asian Manufacturer
Winnti Group hackers have updated their arsenal with a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.
www.bleepingcomputer.com
Connecting the dots: Exposing the arsenal and methods of the Winnti Group
ESET researchers describe updates to the malware arsenal and campaigns of the Winnti Group known for its supply-chain attacks.
www.welivesecurity.com