PortReuse
The Winnti Group (also known as APT41) is one of the more popular Chinese cybercrime groups. Their name has been in the media since 2010, when their harmful campaigns were analyzed for the first time. The 'Winnti Group' name is derived from one of the notorious pieces of malware that the group employed in their attacks – the Winnti malware was first used in 2013, and it has become one of the trademark hacking tools of this criminal organization. However, there is nothing new to be said about the Winnti malware and, instead, this post focuses on a more recent tool that the Winnti Group has been using – the PortReuse backdoor Trojan.
PortReuse Uses the Open Ports of Legitimate Tools for Its Threatening Connections
Usually, backdoor Trojans serve a wide range of functions, and they are being controlled via a permanent connection to a remote Command & Control server. However, the PortReuse backdoor was designed in a different way that allows it to stay hidden for long but also hinders its abilities. Instead of maintaining an active and noisy connection to a remote server, the PortReuse backdoor waits for the criminals to communicate with it via a 'magic network packet' – a specially crafted packet that can trigger the malicious portion of PortReuse's code.
Since the PortReuse backdoor does not use a separate port for its communication purposes, it can use an already active and open TCP port to wait for the magic packet. This reduces the backdoor's fingerprint and also prevents network security tools from spotting anything out of the ordinary. Separate samples of the PortReuse were found to use different TCP ports – 53, 80, 443, 3389 and 5985.
Cybersecurity experts were able to crack the algorithm that the PortReuse uses to craft the magic packet, and this enabled them to discover IP addresses that were waiting for the particular 'magic' response – all of the addresses were linked to a major Asian manufacturer of mobile hardware and software. It is likely that the Winnti Group was planning to execute a supply-chain attack by performing reconnaissance operations on the company's network and introducing additional payloads at a later stage.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.