Winnti Group Targets Video Game Developers with New Backdoor Malware

Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.

As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.

According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.

In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”

What’s Hot on Infosecurity Magazine?