Video game developers are under attack by the Winnti Group potentially in the quest for in-game cash and rewards.
On Wednesday, cybersecurity firm ESET released a report on the advanced persistent threat (APT) group, which has been caught performing similar attacks in the past.
According to the team, the Winnti Group has been using a new, modular malware on the systems of several massively multiplayer online (MMO) game developers located in South Korea and Taiwan.
The companies, while unnamed, have designed games played by thousands of people worldwide.
ESET says that in at least one campaign, the threat actors were able to compromise a developer's build orchestration server, which gave them the keys to automated build systems.
In turn, this may have led to the video game's downloadable executables being hijacked or Trojanized, although the team was not able to find any evidence of this form of attack.
Instead, the group appears to be focusing on compromising the game developer's servers in order to "manipulate in-game currencies for financial gain," ESET says.
The malware in use has been called PipeMon, a modular backdoor that masquerades as print processing software.
Signed off using a stolen Wemade IO certificate, the backdoor contains DLL modules that load using a reflective loading technique.
The new backdoor was found alongside previously-seen Winnti malware, a custom credential harvester, the abuse of a range of open source tools, and references to command-and-control (C2) servers belonging to the Winnti Group.
Two versions of PipeMon have been found, the first of which was lacking an installer. However, the second -- and latest build -- revealed an installer in which a dropper is installed in the Windows Print Processors directory. A malicious DLL is registered and PipeMon then restarts the print spooler service to maintain persistence on startup, before writing additional modules and malicious executables to a temporary file directory.
An encrypted payload then unpacks and assigns itself to the registry before establishing contact with a C2. System information including computer name, IP address, and OS version is harvested and sent to the C2 using RC4 encryption. PipeMon also establishes separate communication channels for each malicious module.
The second version of PipeMon is similar to the original but only writes the main DLL installer to disk, with modules stored in the registry by the installer.
"This new implant shows that the attackers are actively developing new tools using multiple open source projects and don't rely solely on their flagship backdoors, ShadowPad and Winnti," ESET researcher Mathieu Tartare said.
The Winnti Group was first discovered in 2012. Also known as APT41, BARIUM, and Blackfly, the threat group has previously been linked to an attack against Gravity, a South Korean gaming company, as well as multiple campaigns against game vendors in 2019.
ESET added that the APT is likely responsible for a range of supply-chain attacks leading to the distribution of Trojanized software, such as in the cases of CCleaner in 2017 and ASUS LiveUpdate in 2019.
"Multiple indicators led us to attribute this campaign to the Winnti Group," said Tartare. "Some of the C2 domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020."
ESET has contacted the affected companies and helped them boot the Winnti Group out of infected servers. In addition, the issuer of the stolen certificate has since revoked it.
In other security news this month, Cisco Talos researchers have documented the emergence of WolfRAT, DenDroid-based Android malware that has been tracked in attacks against Thai speakers. The researchers suspect a connection to spyware seller Wolf Research.
Previous and related coverage
- This new, unusual Trojan promises victims COVID-19 tax relief
- WolfRAT targets WhatsApp, Facebook Messenger app users on Android devices
- Loda Trojan revitalized with stealthy upgrade, new exploits
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0