Posted on May 23, 2020 at 8:10 AM
Recent Report revealed that a hacking syndicate has been identified attacking Asian gaming companies with malware that can infect users’ systems.
ESET cybersecurity firm published a report yesterday, stating how the hacking syndicate, known as “Winnti Group,” was infiltrating the Massively Multiplayer Online (MMO) game servers.
However, ESET did not name the gaming companies affected. Instead, it said the companies were based in Asia. ESET further stated that gaming companies are very popular around the world and their games are being played online and distributed all over the world. The games are also available on popular gaming platforms with thousands of simultaneous players.
In one of the attacks, the cybercriminals hijacked one of the gaming company’s “build orchestration server”, which enabled them to deposit malware in the game’s executables. But ESET was not able to find out whether the hackers chose to bobby-trap the game’s program files. In a similar attack, the cybercriminal managed to manipulate the virtual currency in the game for their financial gains.
It’s not clear how the malware, named PipeMon, actually managed to slip inside the system. However, the malware camouflaged as program names, which included setup.exe analog with slack.exe.
Additionally, the hackers stole and incorporated code-signaling certificates from a genuine gaming vendor. Hence, the malware was successful in bypassing the security protections on Windows after installation.
The hacking group has successfully compromised companies’ servers in the past
Winnti is the name of a group of hackers who have been hacking gaming companies in Asia since 2009. The main indication found by the ESET researchers was not a payload, as is the case with other similar attacks. Instead, the ESET saw the executables that set a malware attack in motion, known as a dropper file.
The main goal of the attackers is to steal intellectual property from companies, and they have been very busy in Asian games companies.
Multiple indicators showed the Winnti group was responsible for the attack
According to ESET researcher Mathieu Tartare, ESET was able to pin down the attack on Winnti Group as a result of multiple indicators. “Multiple indicators led us to attribute this campaign to the Winnti Group,” he said.
He further explained that the Winnti malware group used some of the command and control servers utilized by PipeMon in previous campaigns.
All affected game companies have been contacted
ESET said it had already informed all the affected gaming companies and gave them guidance on the best ways of removing the malware. The companies have also revoked the code-signaling certificates and the vulnerabilities have been patched.
Winnti Group is not finished yet
The Winnti Group may not be through yet, as several indications are showing. The group has a long history of infiltrating video game companies to steal code signaling certificates and source codes. ESET said the group was also responsible for the infiltration of the PC vendor and CCleaner of Avast back in 2017.
They infiltrated the server to gain access to planting malware in the program used by millions of people. With their history of attacking the gaming industry, it will suffice to say they would be back again, according to ESET.
Malware could be targeting Windows 7 systems
The ESET researchers said this was a well-crafted attack that used stolen digital certificates to give access to the Winnti malware drivers. However, the use of the DSEFix bypass is an indication that the malware is old and seemly targeting Windows 7 systems.
It also shows the malware may have utilized DNS tunneling, which is also an old method of passing data off through and out of a network without detection.
This shows that, although the attack may have occurred in February this year, there may have been a connection to hacking operations carried out several years ago. And these series of attacks may have been done by a single group spread across several multiple sub-groups, ESET concluded.