Trend Micro researchers have uncovered a new backdoor pieces of malware from the Winnti family, which are mainly used by a Chinese cyber criminal group to target South East Asian organizations from the video gaming sector.
Winnti malware used by hackers to hijack control of web users systems using a new backdoor contained in the legitimate Aheadlib analysis tool. Dubbed as “Bkdr_Tengo.A,” passes itself off as a legitimate system DLL file called winmm.dll. "We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool." wrote Trend Micro's Eduardo Altares.
"The file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system."
Aheadlib is a legitimate analysis tool that can be used to construct C code from DLL files. The tool is capable of hooking all the functions provided by the initial library. The criminals reportedly used the tool, which is connected to various parts of the network it is analysing, to create a backdoor they can use to bypass the system's security protocols.
"Two of these IP addresses proved to be of particular interest, namely 220.127.116.11 and 18.104.22.168. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers," he said.
This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature.