A suspected Chinese APT group used a newly discovered modular backdoor to infect at least one video game developer's build orchestration server and at least one other company's game servers, researchers have reported.
Although these attacks appear to have taken place prior to March, such incidents are now more important than ever to detect and defend against, as anecdotal evidence suggests video games are thriving as a popular form of entertainment among consumers who are now stuck at home due to COVID-19 concerns.
The compromised build system could have potentially resulted in a supply chain attack allowing for the trojanization of otherwise legitimate game executables, while the hacked game servers could have been exploited to steal users' in-game currencies for profit, ESET explains in a company blog post released today.
ESET has attributed the attacks to the Winnti Group, a suspected Chinese APT group with a history of conducting software supply chain attacks and victimizing the video game industry in particular. Its unnamed targets were described as gaming companies in South Korea and Taiwan that specialize in Massively Multiplayer Online games found on popular gaming platforms.
Mathieu Tartare, malware researcher at ESET, confirmed to SC Media that there are actually three video game companies were known to be affected. ESET says it alerted the affected companies, which subsequently addressed the compromise.
Researchers found two variants of the backdoor, dubbed PipeMon because it uses multiple named pipes for inter-module communication. To establish persistence, the malware is registered fraudulently as a Print Processor. Depending on the malware version, the DLL-based modules are either stored as a file on disk or stored in the registry by their installer, and then loaded via reflective DLL injection.
The PipeMon modules and installers are all signed a stolen valid code-signing certificate that belongs to a video game company that was previously compromised in a Winnti Group supply chain attack. This company revoked the certificate upon being informed of the situation, ESET reports.
Researchers linked the attacks to Winnti Group because the new backdoor shares C2 architecture with past Winnti attacks, the attackers used TTPs known to be used by the group, and the attacked companies have previously been targeted by these actors. Some victims were also infected with AceHash, a credentials harvester that has also been associated with Winnti Group.
Again, while these attacks appear to have preceded the COVID-19 pandemic, it would be wise for video game developers, platforms and players alike to be wary of attackers looking to take advantage of gaming's continued strong performance while other forms of entertainment remain shuttered. Ransomware and DDoS attacks, for example, remain an ever-present threat, said Tartare.
To counter this latest threat and beyond, Tartare recommends developers employ an up-to-date anti-virus solution (one that can detect PipeMon) monitor newly installed Print Processors (since that is the means through which PipeMon gains persistence, and have "an up-to-date system (OS and software) to benefit from security fixes.
Meanwhile, Tartare added, gaming platforms "should do their best to properly vet the applications they distribute, but to their defense, it's not a trivial task and a trojanized video game through a supply chain attack is not always easy to detect."