Winnti Group targets video game developers again

In News

ESET researchers have discovered a new modular backdoor used by the Winnti Group against several video game companies that develop MMO (massively multiplayer online) games. The malware, named PipeMon by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players.

In at least one case, the attackers compromised the company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to trojanize video game executables. “However, we do not have evidence this has occurred,” says Mathieu Tartare, Malware researcher at ESET. In another case, the operators compromised the company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain. ESET contacted the affected companies and provided the necessary information and assistance to remediate the compromise.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020,” says Tartare.

The new modular backdoor PipeMon is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor. “This new implant shows that the attackers are actively developing new tools using multiple open source projects and don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware,” adds Tartare. ESET was able to trace two different variants of PipeMon.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and the Winnti malware. More details about the group’s arsenal are explored in a white paper published in October 2019.

Comments

You may also read!

Kaspersky’s latest report highlights the ‘human side’ of cybersecurity incidents

The latest Kaspersky report, “Taking care of corporate security and employee privacy: why cyber-protection is vital for both businesses

Read More...

26% of IT security managers life is effected by data breaches

According to the latest Kaspersky report, “Taking care of corporate security and employee privacy: why cyber-protection is vital for both

Read More...

ESET scores highest points for its Endpoint Security for Android

The enterprise version of ESET’s Android mobile security app, ESET Endpoint Security for Android, reached the best score in

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu