PortReuse

China is popular for its hacking groups. Some operate on their own terms, while others are believed to be sponsored by the Chinese government. One of the more notorious Chinese hacking groups is the Winnti Group. They are also known as APT41 (Advanced Persistent Threat). They have been gaining prominence since 2010. The Winnti Group is named after a hacking tool developed by this APT – the Winnti malware. This threat put the Winnti Group on the map and was first spotted in 2013. Ever since the hacking group gained some prominence thanks to the Winnti malware, they have been developing new tools, one of which is the PortReuse backdoor Trojan.

Its Preference for Stealth

Most backdoor Trojans follow the same pattern – they are operated via a remote C&C (Command & Control) server and tend to have a long list of capabilities. However, this is not the case with the PortReuse Trojan. The Winnti Group seems to prefer stealth to functionality. This is why they have chosen to make sure their threat remains undetected despite the fact that by doing this, they also are crippling the PortReuse backdoor Trojan, which could have been a far more severe threat. The authors of the PortReuse Trojan have opted not to use a C&C server to operate the threat as it can be deemed as ‘too noisy.’ Instead, they are utilizing Wake-on-LAN, otherwise known as magic packets, which are used to execute the corrupted segment of code.

Operates Silently

The operators of the PortReuse Trojan have put some more effort into keeping their creation on the down-low by making sure to minimize the fingerprint left by its unsafe activity. This is achieved by using a TCP port that is open and active. Via this port, the PortReuse Trojan receives the magic network packet in question. It would appear that the authors utilize different services on the following TCP ports, such as 53 (DNS), 80 (HTTP), 443 (HTTPS), 3389 (RDP) and 5985 (WinRM).

Malware researchers have succeeded in tracking the IP addresses of the actors behind the PortReuse Trojan by decrypting the threat’s harmful payload used for constructing the Wake On-LAN packet. After studying the discovered data, cybersecurity experts speculate that the Winnti Group may be planning on launching an attack targeting an Asian corporation that specializes in developing mobile software and producing mobile hardware. Some believe that the attack may include multiple stages and different hacking tools being utilized.