Pipemon – Modular Backdoor
Pipemon is a newly discovered backdoor malware that, once installed and executed on a target machine, is capable of sending:
- The victims RDP (remote desktop protocol) information to the command and control server for the malware
- OS, CPU, PC and time zone information to the command and control server
- Network information, disk drive information, and running processes information to the command and control server
The execution of Pipemon follows a few stages of deployment until it is fully active. For a detailed analysis of these stages and the persistence capabilities of the malware please see the referenced document, ‘Pipemon – Modular Backdoor’ at the end of this article. Pipemon uses Windows print processors as cover and drops a malicious DLL loader where the print processors reside and registers itself as an alternative print processor. Since the print processor service starts every time the computer boots, persistence is achieved.
The malware itself, Pipemon, is modular, with each component being a DLL with different functionalities. This allows custom commands to load other modules on demand as the attacker sees fit.
While Pipemon itself is still novel, the backdoor was signed using a certificate belonging to a video game company, ‘Nfinity Games’, that was attacked in 2018. The attackers, a hacker group by the name ‘Winnti,’ is well known for their APT (advanced persistent threat) activities and attacks attributed to them have been detected as far back as 2011. While most of their victims tend to be from the video game and software industry, they have been known to target organizations in the healthcare and education sectors as well.
Winnti is well-known for their supply-chain attacks, trojanizing software used by millions of users, such as Asus LiveUpdate and CCleaner, as well as a financial sector software named NetSarang. Some of the command and control domains observed in the Pipemon malware, as well as a custom login credential stealer, have been observed in previous Winnti attacks, providing further evidence as to the authorship of the Pipemon malware.
The name itself, ‘Pipemon,’ comes from the fact that the malware author used “Monitor” as the name of the Visual Studio project, and multiple named pipes were used for inter-module communications. A possible attack vector that threat actors could be utilizing Pipemon for is to eventually encrypt a machine’s files and perform a ransomware attack; Trojans of similar complexity to Pipemon are increasingly being used to extort money from unlucky victims.
If your computer is already infected with the Pipemon malware, there may not be any obvious signs of infection, but depending on the purpose of the malware, there may still be certain flags that something is wrong with your system. The most obvious sign of infection would be if the machine starts crashing and you are redirected to the “blue screen of death.” While this could be caused by a variety of issues, this could very likely be from a trojan infection.
Other possible symptoms of Pipemon infection could be unwanted changes in the system or in certain programs, data corruption, software errors, and unusual computer slowness. If you experience any combination of these issues it is important that you act quickly, as trojans infections such as Pipemon work quickly to disrupt your machine to a level where remediation quickly becomes impossible (i.e. ransomware) and may even allow other viruses into your machine.
Even if some of Pipemon’s core files can be removed, it may still be able to reinstall itself if you are unable to remove all its files. It is imperative that all Pipemon’s core files be removed quickly and cleanly from any infected system, with restoring from a backup prior to infection being the most effective method of remediation. For a detailed list of IOCs associated with the Pipemon malware, please see the section, ‘Pipemon – Indicators of Compromise,’ in the attached document at the end of this article.
Sources: