Chinese backdoor malware resurfaces after more than a decade

The malware affects Windows 7 and up to Windows 8.1, the researchers confirmed.

(Image: file photo)

Security researchers found a sophisticated remote access trojan that has resurfaced after more than a decade since it was first released.

The new malware, dubbed "Hacker's Door" by researchers at Cylance, is operated by what's thought to be a Chinese advanced persistent threat hacker group known as Winnti.

The malware has many similarities to a remote access trojan (RAT) of the same name that first debuted in 2004 but was updated with new features in 2005.

The research, published Tuesday, found the new malware is largely based on the decade-old malware, but it has been adapted and modified to infect newer 64-bit systems.

The new version comprises of a backdoor and a rootkit, allowing the malware access to the operating system's core, which gives the attacker access to system information, listing processes, and running commands. The researchers also found the malware can grab screenshots and files, covertly download additional tools, and open telnet and remote access port. The tool can also extract Windows user's credential from the current session and grab system information.

The new version looks to support Windows 7 and up to Windows 8.1, said the researchers. The researchers are looking to see if Windows 10 is affected, but they can't confirm at the time of writing.

It's not known what kind of operation Winnti APT group is using the malware for, but historically the hackers are focused on using remote access trojans for financial fraud.

The group is known to focus on large pharmaceutical companies and the video game industry, but Cylance senior threat researcher Tom Bonner said Hacker's Door was detected in the aerospace industry this time around.

Like in previous cases, the malware was sold by the author and signed with a certificate stolen certificate -- making it easier to infect machines by bypassing protections designed to detect unsigned code.

"It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes 'Hacker's Door' the perfect RAT for any adversary's arsenal," the researchers said.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All