ESET experts report that the Winnti hacker group (aka Suckfly, APT41, Wicked Panda, Barium, etc.), known for its attacks on game developers, has adopted a new malware. Hackers now use the PipeMon backdoor to attack game developers.
In February 2020, the PipeMon modular malware was discovered on the systems of several developers of multiplayer online games (MMO). The names of the affected companies were not disclosed, but it is known that they are based in South Korea and Taiwan, and their products are available on popular gaming platforms and have thousands of players.Let me remind you that according to ESET, Winnti has been attacking game developers for many years, thus realizing attacks on the supply chain. For example, experts found that hackers attacked the developers of the Ragnarok Online game and at least two more popular games were compromised, which affected tens or even hundreds of thousands of users.
The gang is attacking gaming companies, and its aim even not even cyberespionage. FireEye analysts suggest that Winnti members compromise game companies in their free time, pursuing personal gain: they steal and manipulate game currencies”, – said FireEye in a report at the end of 2019.
In a new PipeMon report, ESET analysts write that in at least one case, Winnti members were able to compromise their victim’s assembly system, that is, they were able to implement an attack on the supply chain and could infect the game’s executable files. In another case, turned out to be hacked game servers, which allowed attackers, for example, to manipulate in-game currency for financial gain.
ESET specialists contacted all the affected companies and provided them with all the necessary information to eliminate the consequences of the attacks.
It was not difficult to establish a connection between PipeMon and the Winnti group. So, some of the malware management servers were previously used by Winnti malware, which was recorded in an expert report on the hack group’s arsenal. In addition, in 2019, Winnti was discovered in the systems of several companies, which were subsequently compromised by PipeMon”, — emphasized ESET researchers.
It is also noted that the stolen certificate (Wemade IO), long known to experts, was used in the new campaign. This certificate, used to sign the PipeMon installer, modules and additional tools, is associated with a video game company that was compromised by hackers back in 2018. Obviously, the certificate was stolen exactly at that time.
ESET researchers published a detailed technical analysis of the new backdoor, which can be found here. Indicators of compromise are posted on GitHub.
Analysts note that PipeMon is very similar to the PortReuse backdoor, and this new malware proves that the Winnti group is still actively developing new tools, using a number of open source projects to create them. That is, the group does not rely solely on its flagship backdoors (ShadowPad and Winnti), and expands its arsenal.
