How to implement Winnti Group new variant analysis

Winnti Group’s new modular backdoor PipeMon was discovered in February 2020. Its main targets are Korean and Taiwanese multiplayer online gaming and video companies, and the malware can launch attacks on the supply chain. Attackers can embed Trojans in published games, or attack game servers, and use game currency to obtain financial benefits. The Winnti Group has been active since 2012 and targets supply chain attacks in the software industry. Recently, ESET researchers also discovered attacks targeting several universities in Hong Kong.

Technical Analysis

Two variants of PipeMon were discovered in targeted companies. The first stage of PipeMon consists of launching a password-protected executable embedded in .rsrc. The startup program will write RARSFX to setup0.exe in the automatically generated directory, provide the password through parameters, and use CreateProcess to execute RARSFX, as shown below:

setup0.exe -p*|T/PMR{|T2^LWJ*

The password for each sample is different, and then set the RARSFX Content extracted to %TMP%\RarSFX0:

CrLnc.dat – Encrypted payload

Duser.dll – UAC bypass

osksupport.dll – UAC bypass

PrintDialog.dll – malware initialization

PrintDialog.exe – legitimate Windows file that loads PrintDialog.dll

setup.dll – installation dll

setup. exe – Main Program

If there is a conflict in the folder name, the number at the end of the RarSFX0 string will be incremented until there are no conflicts. After extracting the file, setup.exe will be executed without parameters, using LoadLibraryA to load setup.dll. After loading, setup.dll will check parameters in the form of ‘-x:n’, n is different in different operating modes. The supported parameters and their corresponding behaviors are shown in Table 1.

RARSFX executes setup.exe without arguments, checking if it is running with privileges. If not, further determine whether the Windows version is earlier than Windows 7 build 7601. If the conditions are met, token impersonation will be used to obtain permissions. Otherwise it will try to use a different UAC bypass technique, which installs the payload into one of the following:

C:\Windows\System32\spool\prtprocs\x64\DEment.dll

C:\Windows\System32\spool\prtprocs\x64\EntAppsvc.dll

C:\Windows\System32\spool\prtprocs\x64\Interactive.dll

The attacker did not randomly select the location of the malicious DLL. setup.dll registers the DLL loader as an alternate printer by setting the following registry value:

HKLM\SYSTEM\ControlSet001\ Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”

##HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\ Driver = "EntAppsvc.dll"

Please note the typo in PrintFiiterPipelineSvc (it has no effect on the installation of the print processor since any name can be used).

After registering the print processor, PipeMon restarts the print spooler service (spoolsv.exe), which will load the malicious printing process. The Print Spooler service starts every time the PC boots up, ensuring the persistence of malicious programs. Depending on the installer, CrLnc.dat is written to the following location in the registry:

HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8

HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52D

The entire PipeMon execution process is shown in the figure below:

PipeMon

PipeMon is a modular backdoor. Each module is a DLL that can export the IntelLoader function and use reflective loading technology to load. Each module has different functions, as shown in Table 2.

The loader responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll, located in the print processor directory. These modules are stored encrypted in the same location and are named as follows:

banner.bmp

certificate.cert

License.hwp

JSONDIU7c9djE

D8JNCKS0DJE

B0SDFUWEkNCj.logN

.hwp is an extension used by Korean word processing programs and is very popular in Korea. The module is encrypted by R** and the decryption key is ‘Com! 123Qasdz’ is hardcoded in each module. Win32CmDll.dll decrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module will ensure that the Communication module is running and reloaded if necessary. The diagram below outlines how PipeMon works.

Win32CmDll.dll first attempts to inject the ManagerMain and GuardClient modules into a process named one of the following: lsass.exe, wininit.exe, or lsm.exe. If that fails, it will try to inject one of the registered Windows service processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky), or dllhost.exe. If all else fails, it will try the processes taskhost.exe, taskhostw.exe or explorer.exe.

Additional modules can be loaded on demand using dedicated commands, but none of them have been discovered yet. Modules communicate through named pipes. The communication channel between each module uses two named pipes, one for sending and one for receiving.

Received %CNC_DEFINED% string from C&C server, variable %B64_TIMESTAMP% is base64 encoded timestamp:

Communication The module is responsible for managing communication between the C&C server and other modules through pipes, and its C&C address is hard-coded in the ManagerMain module. The communication protocol is TLS over TCP, handled via the HP-Socket library. All messages are R** encrypted using hardcoded keys. If the transfer content is greater than or equal to 4KB, zlib is used to compress it first.

Initiate communication with the C&C server, first sending a beacon message containing the following information:

OS version

physical addresses of connected network adapters concatenated with �4_TIMESTAMP%

victim's local IP address

backdoor version/campaign ID; we've observed the following values

“1.1.1.4beat”

“1.1.1.4Bata”

“1.1.1.5”

Victim computer name

The commands supported are as follows:

The attacker also used an updated version of PipeMon, with R** replaced by a simple XOR with 0x75E8EEAF as the key, all hardcoded strings removed, and modules named with random values. communication channels. Only the main loader is stored on disk as a file, and the updated modules are described in the following table:

C&C communication format changes:

The backdoor configuration is encrypted and embedded into the loader DLL.

Both the PipeMon module and the installer use the same signature, and the certificate may have been stolen by the Winnti organization in a previous attack.

The above is the detailed content of How to implement Winnti Group new variant analysis. For more information, please follow other related articles on the PHP Chinese website!