A notorious hacking group is going after game developers based in two Asian countries through the “backdoor”.
The Winnti Group which has remained active since 2012 has been discovered to be using a backdoor modular against major game making companies based in South Korea and Taiwan that specializes in developing MMO (Massively Multiplayer Online) video with video games distributed and available on popular video gaming platforms all over the world with a huge number of simultaneous active players.
The malware named “PipeMon” by ESET who discovered the attack was developed by the cybercriminals to infuriate the companies’ designed system and game servers and to execute a supply-chain related attack that allows them to plant trojan in the game’s executables. Winnti Group is not just attacking game developers for the first time, they have been linked previously to attacks on gaming software developers which lead to the distribution of trojan-laced software on Multiple video games and CCleaner that is later used to breach more victims in a high-profile supply-chain attack with Shadow Winnti malware.
The malware is a modular backdoor that uses multiple pipes for inter-modular transmission made up of main modules identified by the ESET research team as GuardClient, ManagerMain, Win32CmdDll, and Communication. They carry out actions like loading other modules, loading the communication module, management of communications between C2 servers and modules, execution of commands received, decrypting other modules and other activities.
Winnti Group Malware Variants
An ESET research report shows that Winnti group uses two unique variants of the “novel backdoor” malware that is new on the block, this first version is more of a trial version as this version appears to be more potent even though both have a feature of an installer dropping the payload in the windows print processors directory before restarting the print spooler service to maintain tenacity. The loader gets encrypted and stored and named “setup.dll” in a library file which establishes the registry value with other payloads like “CrLnc.dat” and “Duser.dll” loaded, decrypted, and executed.
PipeMon malware module and installers have a valid signed certificate stolen from unsuspecting owners which helps it pass through AVS protective layers, but this stolen certificate has been revoked after they were alerted by ESET. The make-up of the PipeMon malware by Winnti Group is a pointer that they are working on multiple open source projects for future attacks.
- Get the ESET Antivirus Software