China is popular for its hacking groups. Some operate on their own terms, while others are believed to be sponsored by the Chinese government. One of the more notorious Chinese hacking groups is the Winnti Group. They are also known as APT41 (Advanced Persistent Threat). They have been gaining prominence since 2010. The Winnti Group is named after a hacking tool developed by this APT – the Winnti malware. This threat put the Winnti Group on the map and was first spotted in 2013. Ever since the hacking group gained some prominence thanks to the Winnti malware, they have been developing new tools, one of which is the PortReuse backdoor Trojan.
Its Preference for Stealth
Most backdoor Trojans follow the same pattern – they are operated via a remote C&C (Command & Control) server and tend to have a long list of capabilities. However, this is not the case with the PortReuse Trojan. The Winnti Group seems to prefer stealth to functionality. This is why they have chosen to make sure their threat remains undetected despite the fact that by doing this, they also are crippling the PortReuse backdoor Trojan, which could have been a far more severe threat. The authors of the PortReuse Trojan have opted not to use a C&C server to operate the threat as it can be deemed as ‘too noisy.’ Instead, they are utilizing Wake-on-LAN, otherwise known as magic packets, which are used to execute the corrupted segment of code.
The operators of the PortReuse Trojan have put some more effort into keeping their creation on the down-low by making sure to minimize the fingerprint left by its unsafe activity. This is achieved by using a TCP port that is open and active. Via this port, the PortReuse Trojan receives the magic network packet in question. It would appear that the authors utilize different services on the following TCP ports, such as 53 (DNS), 80 (HTTP), 443 (HTTPS), 3389 (RDP) and 5985 (WinRM).
Malware researchers have succeeded in tracking the IP addresses of the actors behind the PortReuse Trojan by decrypting the threat’s harmful payload used for constructing the Wake On-LAN packet. After studying the discovered data, cybersecurity experts speculate that the Winnti Group may be planning on launching an attack targeting an Asian corporation that specializes in developing mobile software and producing mobile hardware. Some believe that the attack may include multiple stages and different hacking tools being utilized.
Do You Suspect Your PC May Be Infected with PortReuse & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like PortReuse as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.