Specialists of the information security company QuoIntelligence (QuoINT) discovered a new malware aimed at the internal network of the Gravity game producers. According to their findings, these Chinese Winnti hackers attacked the developers of the famous MMORPG Ragnarok Online.
Apparently, attacks on the company took place in early 2020, and behind them is one of the largest government hack groups in China – Winnti (aka APT41, BARIUM, Blackfly). It is unclear whether the hackers managed to succeed and whether the attack reached its goal.We managed to extract the malware configuration file and determine the intended goal. In this case, the following line was included in the configuration: 0x1A0: GRAVITY. Based on the previously known facts and goals of the Winnti group, we believe that this sample was probably used for a targeted company against Gravity Co., Ltd., a South Korean video game company”, – wrote QuoINT experts.
The discovered malware was named Winnti Dropper and it is a type of malware that first infects the victim’s computer and then delivers other malware to the system.
The Gravity campaign is the latest incident in a long series of Winnti attacks targeting the video game industry in general and game companies from South Korea and Taiwan in particular”, – said QuoIntelligence analysts.
Representatives of Gravity have not yet commented on the conclusions of QuoINT specialists.
Let me remind you that according to Kaspersky Lab and ESET, Winnti has been attacking game developers for many years, thus realizing attacks on the supply chain. For example, experts found that hackers compromised at least two popular games and one gaming platform, which affected tens or even hundreds of thousands of users.
Interestingly, according to a 2019 FireEye report, the group does not attack gaming companies for cyber espionage.
FireEye analysts suggest that Winnti participants generally compromise game companies in their free time, pursuing personal goals: they are engaged in theft and manipulation of game currencies. Similarly, for example, the Syrc ransomware operators attacked Fortnite cheaters.