PipeMon

Malware updated 6 months ago (2024-05-05T11:17:45.518Z)
Download STIX
Preview STIX
PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. Notably, PipeMon modules are installed in %SYSTEM32%\spool\prtprocs\x64\, a path previously used to drop the second stage of the trojanized CCleaner. The malware exhibits several advanced techniques such as fallback channels, standard cryptographic protocol, custom command and control protocol, and process discovery. The Winnti Group has been associated with numerous cyberattacks, including a supply-chain attack on a video game company in late 2018. Some of the command and control (C&C) domains used by PipeMon were previously utilized by Winnti malware in past campaigns. The certificate used to sign the PipeMon installer, modules, and additional tools can be traced back to this compromised video game company, suggesting that it was likely stolen during the 2018 attack. Furthermore, the Winnti malware was found in 2019 at some companies that were later compromised by PipeMon, indicating a pattern of targeted attacks. PipeMon employs various techniques mapped to MITRE ATT&CK framework. These include: T1008 Fallback Channels, where an updated version of PipeMon uses a fallback channel once a certain date is reached; T1032 Standard Cryptographic Protocol, where PipeMon communication is RC4 encrypted; T1095 Custom Command and Control Protocol, where PipeMon's communication module uses a custom protocol based on TLS over TCP; T1043 Commonly Used Ports, where PipeMon communicates through port 443; T1113 Screen Capture, where one of the PipeMon modules is likely a screenshotter; T1063 Security Software Discovery, where PipeMon checks for the presence of ESET and Kaspersky software; T1057 Process Discovery, where PipeMon iterates over running processes to find a suitable injection target; and T1055 Process Injection, where PipeMon injects its modules into various processes using reflective loading. This wide range of techniques demonstrates the advanced nature and potential threat of PipeMon.
Description last updated: 2024-05-05T10:38:19.106Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Group Threat Actor is associated with PipeMon. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers aUnspecified
2
The Winnti Threat Actor is associated with PipeMon. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the AUnspecified
2
Source Document References
Information about the PipeMon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more