1. Home
  2. Software
  3. PipeMon

PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]

ID: S0501
Type: MALWARE
Platforms: Windows
Contributors: Mathieu Tartare, ESET; Martin Smolár, ESET
Version: 1.2
Created: 24 August 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[1]
Enterprise T1112 修改注册表

PipeMon has modified the Registry to store its encrypted payload.[1]
Enterprise T1129 共享模块

PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

PipeMon communications are RC4 encrypted.[1]
Enterprise T1140 反混淆/解码文件或信息

PipeMon can decrypt password-protected executables.[1]
Enterprise T1547 .012 启动或登录自动启动执行: Print Processors

The PipeMon installer has modified the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors to install PipeMon as a Print Processor.[1]
Enterprise T1008 回退信道

PipeMon can switch to an alternate C2 domain when a particular date has been reached.[1]
Enterprise T1106 本机API

PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.[1]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

PipeMon has stored its encrypted payload in the Registry under HKLM\SOFTWARE\Microsoft\Print\Components\.[1]
.013 混淆文件或信息: Encrypted/Encoded File

PipeMon modules are stored encrypted on disk.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

PipeMon installer can use UAC bypass techniques to install the payload.[1]
Enterprise T1082 系统信息发现

PipeMon can collect and send OS version and computer name as a part of its C2 beacon.[1]
Enterprise T1124 系统时间发现

PipeMon can send time zone information from a compromised host to C2.[1]
Enterprise T1016 系统网络配置发现

PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[1]
Enterprise T1134 .002 访问令牌操控: Create Process with Token

PipeMon can attempt to gain administrative privileges using token impersonation.[1]
.004 访问令牌操控: Parent PID Spoofing

PipeMon can use parent PID spoofing to elevate privileges.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

PipeMon can check for the presence of ESET and Kaspersky security software.[1]
Enterprise T1105 输入工具传输

PipeMon can install additional modules via C2 commands.[1]
Enterprise T1057 进程发现

PipeMon can iterate over the running processes to find a suitable injection target.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

PipeMon can inject its modules into various processes using reflective DLL loading.[1]
Enterprise T1095 非应用层协议

The PipeMon communication module can use a custom protocol based on TLS over TCP.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

PipeMon, its installer, and tools are signed with stolen code-signing certificates.[1]

Groups That Use This Software

ID Name References
G0044 Winnti Group

[1]

References

  1. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.