Winnti hacking group hits gaming firms with new backdoor malware

Winnti hacking group previously targeted GRAVITY gaming firm in South Korea.

It is claimed that hackers are aiming to target Asian video game developers.

A brand new backdoor malware used by the notorious Winnti hacking group has been discovered by cybersecurity firm ESET researchers. 

The company published a report on Thursday revealing in-depth details about the new modular backdoor and how the hackers are trying to use it against gaming firms that mainly develop massively multiplayer online (MMO) games.

The malware, which ESET dubbed as PipeMon, is currently targeting gaming firms based in Taiwan and South Korea.

See: Top Dangers That Online Gamers Face

The researchers didn’t reveal the names of gaming firms that have been targeted. It is however, stated that the games developed by these firms are distributed across the globe, and are available on all popular gaming platforms while thousands of players are using their games.

It is worth noting that both countries are home to some of the most popular games and best gaming developers/brands including MSI, Asus ROG, and Acer Predator from Taiwan and Nexon, Gravity and Netmarble from South Korea. 

As per the analysis of ESET’s malware researcher Mathieu Tartare, there is a sound reason to believe that the Winnti hacking group is involved.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020,” said Tartare.

The modular backdoor, according to ESET researchers, is signed with a code-signing Wemade IO certificate that most likely was stolen during a past campaign.

See: Latest LokiBot malware variant distributed as Epic Games installer

Interestingly, the new modular backdoor shares stark similarities with the PortReuse backdoor. PipeMon is equipped with DLL modules that use a reflective loading technique to load on the targeted device.

In one case, the gaming firm’s build orchestration server was compromised by the attackers, which allowed them to gain control of the automated build systems of the target device. This can allow attackers to easily Trojanize video game executable files.

In another incident, the company’s game servers were compromised, which may allow attackers to manipulate in-game currencies for monetary gains.

Winnti hacking group is believed to be responsible for launching highly-sophisticated cyberattacks against several high-profile organizations including the Government of Thailand, tech firms, and activists fighting for Uyghur and Tibetan cause, and Chinese journalists.

Moreover, it is the same group that launched a cyberattack against South Korean gaming firm Gravity and many other game vendors.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts