Chinese Hackers Backdoor Gaming Titles

Written by

Chinese hackers have launched supply chain attacks against three gaming companies in order to spread malware far and wide across Asian endpoints, according to ESET.

The security vendor’s malware researcher, Marc-Etienne M.Léveillé, wrote in a blog post on Monday that the attacks are the work of the well-known Winnti Group, which has used such tactics before.

It targeted two gaming titles and a “gaming platform application," compromising them with the same backdoor code.

Although two of the developers have now fixed the compromise, ESET warned that one of the games, Infestation, is still distributing the trojanized version. The firm has thus far been unable to contact its Thai developer, Electronics Extreme.

It’s still unclear what the final payload is as ESET wasn’t able to analyze the DLL file in question. However, we do know that the group behind it didn’t want any users in Russia or China to be affected, as the malware is designed to stop running if either system language is detected.

Victims are overwhelmingly located in Asia: mainly Thailand (55%) but also the Philippines (13%), Taiwan (13%), Hong Kong (5%), Indonesia (3%) and Vietnam (3%).

Léveillé claimed the number of victims could have reached the hundreds of thousands by now.

“Supply-chain attacks are hard to detect from the consumer perspective. It is impossible to start analyzing every piece of software we run, especially with all the regular updates we are encouraged or required to install. So, we put our trust in software vendors that the files they distribute don’t include malware,” he concluded.

“Perhaps that’s the reason multiple groups target software developers: compromising the vendor results in a botnet as popular as the software that is hacked. However, there is a downside of using such a technique: once the scheme is uncovered, the attacker loses control and computers can be cleaned through regular updates.”

The Chinse government-linked Winnti Group was uncovered by Kaspersky Lab back in 2013, although it had been tracking it since 2011. The collective was known for abusing digital signatures and using a kernel level 64-bit signed rootkit in multiple attacks designed to steal source code and other IP from gaming developers.

What’s hot on Infosecurity Magazine?