ESET researchers have dissected the updated arsenal of the Winnti Group – known for its espionage capability and targeted attacks – in a new whitepaper.
In March 2019, ESET researchers warned about Winnti’s new supply-chain attacks targeting video game players in Asia. Following this publication, ESET research continued its investigation in two directions. First, to explore the next stages delivered by this attack. Second, to discover how organisations’ digital supply chains have been compromised to deliver malware in their applications.
“It is not an easy task. Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviours and code similarity to help us spot the needle,” said Marc-Étienne Léveillé, an ESET researcher who investigated the Winnti Group.
“Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was,” he added.
The Winnti Group uses this packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an Internet-wide scan to try to identify one variant of the backdoor, and potential victims. ESET researchers were able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analysed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.
For more technical details, read ESET’s blogpost, “Connecting the dots: exposing the arsenal and methods of the Winnti Group” on WeLiveSecurity.
PCR’s Top Women in Tech 2019: We’ll be highlighting 25 women that have made a positive impact in the industry over the past year, and we need YOU to submit yourself or your colleagues. Email firstname.lastname@example.org now to find out how to submit your entry.
Read the latest edition of PCR’s monthly magazine below: