ESET experts reportthat the Winnti hacker group (aka Suckfly, APT41, Wicked Panda, Barium, etc.), known for its attacks on game developers, has adopted a new backdoor. In February 2020, the PipeMon modular malware was discovered on the systems of several developers of multiplayer online games (MMO). The names of the affected companies were not disclosed, but it is known that they are based in South Korea and Taiwan, and their products are accessed on popular gaming platforms and have thousands of players.
Let me remind you that according to Kaspersky Lab and ESET, Winnti has been attacking game developers for many years, thus realizing attacks on the supply chain. For example, experts found that hackers compromised at least two popular games and one gaming platform, which affected tens or even hundreds of thousands of users.
Interesting that according report FireEye company from 2019, the group is attacking game companies not even with the goal of cyber espionage. FireEye analysts suggest that Winnti participants generally compromise game companies in their free time, pursuing personal gain: they engage in theft and manipulation of game currencies.
In a new report on PipeMon, ESET analysts write that in at least one case, Winnti members were able to compromise their victim’s build system, that is, they were able to implement an attack on the supply chain and could infect the game’s executable files. In another case, game servers turned out to be hacked, which allowed attackers, for example, to manipulate in-game currency for financial gain.
ESET specialists contacted all the affected companies and provided them with all the necessary information to eliminate the consequences of the attacks.
It is emphasized that it was not difficult to establish a connection between PipeMon and the Winnti group. So, some of the control servers of Malvari were previously used by Winnti malware, which was recorded in an expert report on hack group arsenal. In addition, in 2019, Winnti malware was discovered in the systems of several companies, which were subsequently compromised by PipeMon.
It is also noted that the stolen certificate (Wemade IO), long known to experts, was used in the new campaign, which the group is not using for the first time. This certificate, used to sign the PipeMon installer, modules and additional tools, is associated with a video game company that was compromised by hackers back in 2018. Obviously, the certificate was stolen exactly then.
Analysts note that PipeMon is very similar to the PortReuse backdoor, and this new malware proves that the Winnti group is still actively developing new tools, using a number of open source projects to create them. That is, the group does not rely solely on its flagship backdoors (ShadowPad and Winnti), and does not stand still.