BRATISLAVA, MONTREAL – ESET researchers have discovered a new modular backdoor used by the Winnti Group against several video game companies that develop MMO (massively multiplayer online) games. The malware, named PipeMon by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players.
In at least one case, the attackers compromised the company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to trojanize video game executables. “However, we do not have evidence this has occurred,” says Mathieu Tartare, Malware researcher at ESET. In another case, the operators compromised the company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain. ESET contacted the affected companies and provided the necessary information and assistance to remediate the compromise.
“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020,” says Mathieu Tartare, ESET researcher monitoring the Winnti Group. There are other notable similarities that researchers explore in the blogpost.
The new modular backdoor PipeMon is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor. “This new implant shows that the attackers are actively developing new tools using multiple open source projects and don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware,” adds Tartare. ESET was able to trace two different variants of PipeMon.
For more technical details about the latest Winnti backdoor, read the blogpost No ‘Game over’ for the Winnti Group on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.
The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and the Winnti malware. More details about the group’s arsenal are explored in a white paper published in October 2019.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.