Sunday, June 7, 04:08
Home security The new PipeMon malware uses Windows print processors

The new PipeMon malware uses Windows print processors

Video game companies are again victims of the Winnti hacking team, which used new malware that researchers called PipeMon and a new method to achieve persistence.

PipeMon is a modular backdoor that was spotted earlier this year on servers belonging to several online multiplayer game developers (MMOs).

malware PipeMon

Winnti's activity has been around since 2011. Most victims come from the video game industry and software, but the team also targets organizations in the areas of healthcare and education.

The team is known for its supply chain attacks to millions of users using software such as Asus LiveUpdate, CCleaner or the financial sector (NetSarang).

Researchers at the cybersecurity company ESET found a new door to Winnti in February.‌ Two variations of malwrae were found in servers Multiple multiplayer games (MMO) from South Korea and Taiwan.

The security company is aware of at least one case where the perpetrator managed to endanger it system of a victim. If they had penetrated successfully, Winnti could have installed malware in the video game.

In a report today, ESET says that the body of evidence uncovered in these attacks clearly "shows" Winnti. Despite the innovation of malware PipeMon, the backdoor was signed using a certificate belonging to a video game company that was attacked in 2018.

This confirmation is not alone. The hackers reused some command and control (C2) domains that were observed in others campaigns and a custom login stealer he had previously seen in other Winnti victims.

It remains active in the system

Of the two variants of PipeMon that were discovered, the researchers could only find one way to install and achieve persistence.

To make sure the malware remains active on systems, Winnti used Windows Printing Processors (DLLs) that convert spooled data from a "print job" to readable form from a print screen.

A malicious DLL‌ loader crashes where the print processors are located and is registered as an alternative print processor. This is done by modifying one of the two registry values ​​(typographical error in the registry key does not affect the installation):

The malware then restarts the print spooler service to load it malicious procedure. As the service starts each time the computer starts, persistence is achieved.

ESET notes that similar technique was observed with the DePriMon download program, but researchers believe that the way PipeMon works has not been done before.

According to research, PipeMon is a modular backdoor, where each element is a DLL with different functionality.

They are encrypted on the disk and hidden under the non-suspicious names you see below. Custom commands can load other modules to order.

  • banner.bmp
  • certificate.cert
  • License.hwp
  • JSONDIU7c9djE
  • B0SDFUWEkNCj.logN

ESET notes that the update for PipeMon was most likely written from scratch, although they observed the same code structure.

For the past decade, Winnti has been developing its arsenal of malicious tools and carrying out attacks against various targets. Her preference for toy companies and supply chain attacks are still notable in its most recent activity.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Lyrics from AI technology or from people: Can you tell them apart?

While a large percentage of people can recognize when they are talking on a chatbot instead of a human operator, it seems that this is not the case ...

Technology and children: When are they ready for safe use?

Today's children and teens use various messaging apps and social media to ...

Call of Duty Black Ops Cold War: The first video leaked

The first video from the gameplay of Call of Duty 2020, which is rumored to be called Black Ops Cold War, has just been revealed.

Elon Musk: "It's time to break up Amazon"

Elon Musk intensifies the fight with Jeff Bezos with a new tweet: The General Manager of Tesla Inc., Elon Musk, said ...

Attack on America's 5G towers on Saturday!

Protests over 5G connectivity are scheduled to take place over the weekend, according to NATE. According to a recommendation that was identified ...

Windows 10 Updates: You can block them with Wu10Man!

Microsoft launched the Windows 10 update in May 2020, so it will be available on your computer soon ....

ECh0raix Ransomware: New campaign targets QNAP NAS devices!

Malicious agents behind eCh0raix Ransomware have launched a new campaign targeting QNAP NAS devices. ECh0raix was observed ...

Mac: How to change the storage location of your screenshots?

When you take screenshots on your Mac device using the Shift-Command-3 shortcut to take a screenshot of the entire computer screen or Shift-Command-4 ...

Malware USBCulprit: Aims devices that are not connected to a network

Did you think that devices without any connection to a local or other network (air-gapped devices) are safe? Think again! The USBCulprit malware that ...

Free Microsoft Teams: You can finally create meetings!

Users of the free version of Microsoft Teams can now create video meetings. The change, identified by ...