Some Video Game Developers were allegedly hit by Winnti Group. The attack was to get a hold of in-game rewards and the in-game currency. The PipeMon Modular Malware was used to victimize the vulnerable game developers. Video game developers have been attacked by the Winnti group. Attackers are allegedly targeted at stealing in-game money and rewards.
According to ESET experts, Winnti Group used the new PipeMon modular malware, disguised as print processing software, during attacks on the systems of several developers of massively multiplayer online games (MMOs) in South Korea and Taiwan.
According to experts, in at least one campaign, criminals were able to compromise the developer’s assembly orchestration server and gained access to the keys of automated assembly systems. This could lead to hacking of downloadable video game executables, but the security team could not find any evidence of such attacks.
Instead, the criminals seem to have focused on compromising the game developers’ servers for “manipulating in-game currencies and gaining financial gain.”
The PipeMon backdoor, signed with a stolen Wemade IO certificate, contains modules that are loaded using the Reflective DLL Loading technique. In addition to the new backdoor, experts discovered other well-known malware Winnti, a user credential collector, evidence of abuse of a number of open-source tools, and links to the group’s C&C servers.
Specialists discovered two versions of PipeMon, the first of which was missing an installer. In the second, an installer was discovered with a bootloader embedded in the Windows print processor directory. After registering the malicious DLL, PipeMon restarts the print spooler service to ensure persistence before writing additional modules and malicious executables to the temporary file directory.
The encrypted payload is then unpacked and enters itself into the registry before establishing communication with the C & C server. System information, including computer name, IP address and OS version, is collected and sent to the C&C server using RC4 encryption.