Winnti Group’s new modular backdoor PipeMon was discovered in February 2020. Its main targets are Korean and Taiwanese multiplayer online gaming and video companies, and the malware can launch attacks on the supply chain. Attackers can embed Trojans in published games, or attack game servers, and use game currency to obtain financial benefits. The Winnti Group has been active since 2012 and targets supply chain attacks in the software industry. Recently, ESET researchers also discovered attacks targeting several universities in Hong Kong.
Two variants of PipeMon were discovered in targeted companies. The first stage of PipeMon consists of launching a password-protected executable embedded in .rsrc. The startup program will write RARSFX to setup0.exe in the automatically generated directory, provide the password through parameters, and use CreateProcess to execute RARSFX, as shown below:
setup0.exe -p*|T/PMR{|T2^LWJ*
The password for each sample is different, and then set the RARSFX Content extracted to %TMP%\RarSFX0:
CrLnc.dat – Encrypted payload
Duser.dll – UAC bypass
osksupport.dll – UAC bypass
PrintDialog.dll – malware initialization
PrintDialog.exe – legitimate Windows file that loads PrintDialog.dll
setup.dll – installation dll
setup. exe – Main Program
If there is a conflict in the folder name, the number at the end of the RarSFX0 string will be incremented until there are no conflicts. After extracting the file, setup.exe will be executed without parameters, using LoadLibraryA to load setup.dll. After loading, setup.dll will check parameters in the form of ‘-x:n’, n is different in different operating modes. The supported parameters and their corresponding behaviors are shown in Table 1.
RARSFX executes setup.exe without arguments, checking if it is running with privileges. If not, further determine whether the Windows version is earlier than Windows 7 build 7601. If the conditions are met, token impersonation will be used to obtain permissions. Otherwise it will try to use a different UAC bypass technique, which installs the payload into one of the following:
C:\Windows\System32\spool\prtprocs\x64\DEment.dll
C:\Windows\System32\spool\prtprocs\x64\EntAppsvc.dll
C:\Windows\System32\spool\prtprocs\x64\Interactive.dll
The attacker did not randomly select the location of the malicious DLL. setup.dll registers the DLL loader as an alternate printer by setting the following registry value:
Please note the typo in PrintFiiterPipelineSvc (it has no effect on the installation of the print processor since any name can be used). After registering the print processor, PipeMon restarts the print spooler service (spoolsv.exe), which will load the malicious printing process. The Print Spooler service starts every time the PC boots up, ensuring the persistence of malicious programs. Depending on the installer, CrLnc.dat is written to the following location in the registry:HKLM\SYSTEM\ControlSet001\ Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”
##HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\ Driver = "EntAppsvc.dll"
HKLM\SOFTWARE\Microsoft\Print\Components\DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8HKLM\SOFTWARE\Microsoft\Print\Components\A66F35-4164-45FF-9CB4-69ACAA10E52DThe entire PipeMon execution process is shown in the figure below:
banner.bmp certificate.cert License.hwp JSONDIU7c9djE D8JNCKS0DJE B0SDFUWEkNCj.logN.hwp is an extension used by Korean word processing programs and is very popular in Korea. The module is encrypted by R** and the decryption key is ‘Com! 123Qasdz’ is hardcoded in each module. Win32CmDll.dll decrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module will ensure that the Communication module is running and reloaded if necessary. The diagram below outlines how PipeMon works.
Win32CmDll.dll first attempts to inject the ManagerMain and GuardClient modules into a process named one of the following: lsass.exe, wininit.exe, or lsm.exe. If that fails, it will try to inject one of the registered Windows service processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky), or dllhost.exe. If all else fails, it will try the processes taskhost.exe, taskhostw.exe or explorer.exe.
Additional modules can be loaded on demand using dedicated commands, but none of them have been discovered yet. Modules communicate through named pipes. The communication channel between each module uses two named pipes, one for sending and one for receiving.
Received %CNC_DEFINED% string from C&C server, variable %B64_TIMESTAMP% is base64 encoded timestamp:
Communication The module is responsible for managing communication between the C&C server and other modules through pipes, and its C&C address is hard-coded in the ManagerMain module. The communication protocol is TLS over TCP, handled via the HP-Socket library. All messages are R** encrypted using hardcoded keys. If the transfer content is greater than or equal to 4KB, zlib is used to compress it first.
Initiate communication with the C&C server, first sending a beacon message containing the following information:
OS version
physical addresses of connected network adapters concatenated with �4_TIMESTAMP%
victim's local IP address
backdoor version/campaign ID; we've observed the following values
“1.1.1.4beat”
“1.1.1.4Bata”
“1.1.1.5”
Victim computer name
The commands supported are as follows:
The attacker also used an updated version of PipeMon, with R** replaced by a simple XOR with 0x75E8EEAF as the key, all hardcoded strings removed, and modules named with random values. communication channels. Only the main loader is stored on disk as a file, and the updated modules are described in the following table:
C&C communication format changes:
The backdoor configuration is encrypted and embedded into the loader DLL.
Both the PipeMon module and the installer use the same signature, and the certificate may have been stolen by the Winnti organization in a previous attack.
The above is the detailed content of How to implement Winnti Group new variant analysis. For more information, please follow other related articles on the PHP Chinese website!