BRATISLAVA, MONTREAL, October 14, 2019 – ESET researchers are always on the lookout for new supply-chain attacks, and in their latest discovery, they dissect the updated arsenal of the Winnti Group. The group is known for its espionage capability and targeted attacks, although financial motivation cannot be excluded.
Already in March 2019, ESET researchers warned about Winnti’s new supply-chain attacks targeting video game players in Asia. Following this publication, ESET research continued its investigation in two directions. First, to explore the next stages delivered by this attack. Second, to discover how organizations’ digital supply chains have been compromised to deliver malware in their applications.
“It is not an easy task. Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle,” says Marc-Étienne Léveillé, an ESET researcher who investigated the Winnti Group. “Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was,” he adds.
The Winnti Group uses this packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an Internet-wide scan to try to identify one variant of the backdoor, and potential victims. ESET researchers were able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.
For more technical details, read the blogpost, “Connecting the dots: exposing the arsenal and methods of the Winnti Group” on WeLiveSecurity, and find the whitepaper here. The paper details the group’s latest additions, showing the relationships among the incidents, the malware and the techniques at use. Make sure to follow ESET research on Twitter for the latest news from ESET Research.