Researchers at Dell SecureWorks have uncovered what they believe to be a Chinese hacking group specifically focused on stealing source code from video game companies, either in order to crack or cheat at particular games or to use in competing products.
The firm’s Counter Threat Unit said in a lengthy report that it believed the Threat Group (TG) 3279 had been in operation since 2009, judging by domain name registration, message board activity and other indicators.
It pointed to strong links between TG-3279 and two personas, Laurentiu Moon and Sincoder, as well as the China Cracking Group.
“It appears that TG-3279 uses uses a port scanning tool named ‘s’ and an RDP brute force tool named ‘rdp_crk’, which may be used to scan and exploit targets,” the report claimed.
“As of this publication, CTU researchers have not discovered packaged exploits used by TG-3279 and believe
that the threat actors rely on active hands-on-keyboard techniques to exploit targets.”
These techniques include “leveraging optionally loaded DLLs to establish persistence for the Conpee plugin framework”. Conpee is a plug-in based Remote Access Trojan (RAT).
Another method was to load legitimate DLL imports with malicious Conpee files.
The idea is to compromise the account credentials of targets with admin privileges working at video game companies, in order to install these malicious tools, said Dell.
Once inside an organization, TG-3279 maintains a “long-lived foothold”, updating its malicious tools with newer versions and even with versions that have been signed with valid certificates, in order to fly under the radar of traditional defenses.
Although video game companies are common targets for the Chinese cracking community, the CTU report is slightly unusual in highlighting a persistent targeted attack group from the Middle Kingdom which does not appear to be state-sponsored or focused on stealing defense, energy or political secrets.
“Due to information gathered from targeted hosts, CTU researchers believe with medium confidence that TG-3279 focuses on the collection of video game source code to crack those games for free use, to develop tools to cheat at the games, or to use the source code for competing products,” noted the report.
“The best method for detecting TG-3279 activity is to look for modifications to system files, invalidly signed executables, and repeated non-existent domain (NXDomain) DNS replies.”