PipeMon

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PipeMon is a sophisticated, modular backdoor malware discovered in February 2020. It is attributed to the Winnti Group, known for their cyber espionage activities. This malware uses multiple named pipes for inter-module communication, hence its name "PipeMon". Its first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. Notably, PipeMon modules are installed in %SYSTEM32%\spool\prtprocs\x64\, a path previously used to drop the second stage of the trojanized CCleaner. The malware exhibits several advanced techniques such as fallback channels, standard cryptographic protocol, custom command and control protocol, and process discovery. The Winnti Group has been associated with numerous cyberattacks, including a supply-chain attack on a video game company in late 2018. Some of the command and control (C&C) domains used by PipeMon were previously utilized by Winnti malware in past campaigns. The certificate used to sign the PipeMon installer, modules, and additional tools can be traced back to this compromised video game company, suggesting that it was likely stolen during the 2018 attack. Furthermore, the Winnti malware was found in 2019 at some companies that were later compromised by PipeMon, indicating a pattern of targeted attacks. PipeMon employs various techniques mapped to MITRE ATT&CK framework. These include: T1008 Fallback Channels, where an updated version of PipeMon uses a fallback channel once a certain date is reached; T1032 Standard Cryptographic Protocol, where PipeMon communication is RC4 encrypted; T1095 Custom Command and Control Protocol, where PipeMon's communication module uses a custom protocol based on TLS over TCP; T1043 Commonly Used Ports, where PipeMon communicates through port 443; T1113 Screen Capture, where one of the PipeMon modules is likely a screenshotter; T1063 Security Software Discovery, where PipeMon checks for the presence of ESET and Kaspersky software; T1057 Process Discovery, where PipeMon iterates over running processes to find a suitable injection target; and T1055 Process Injection, where PipeMon injects its modules into various processes using reflective loading. This wide range of techniques demonstrates the advanced nature and potential threat of PipeMon.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
T1013
T1116
T1134
T1088
T1055
T1057
T1095
T1032
T1008
T1502
T1027
T1112
T1063
T1113
Backdoor
T1043
Implant
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WinntiUnspecified
2
Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Winnti GroupUnspecified
2
The Winnti Group, a collective of Chinese Advanced Persistent Threat (APT) groups including APT41, first gained notoriety for its attacks on computer game developers. The group was initially spotted by Kaspersky in 2013, but researchers suggest that this nation-state actor has been active since at l
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PipeMon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
No “Game over” for the Winnti Group | WeLiveSecurity
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group