Cyber criminal gang targets online gaming industry
Winniti cyber crime gang has been active since 2009, conducts cyber espionage, credential theft
The cyber criminal gang known as "Winniti" has been conducting a sustained cyber espionage campaign on approximately 30 companies in the online gaming industry since 2009 and is currently still active. The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.
Currently Kaspersky Lab's investigation into the group is ongoing. The company's team of experts has been working with the IT security community, online gaming industry and certificate authorities to identify additional infected servers while assisting with the revocation of stolen digital certificates.
In addition to industrial espionage, Kaspersky Lab's experts have identified three main monetisation schemes that could be used by the Winnti group to generate an illegal profit. The first is the manipulation of the accumulation of in-game currency, such as "runes" or "gold" that's used by players and convert the accumulated virtual money into real money; the second is to use the stolen source code from online game servers to search for vulnerabilities inside games to augment and accelerate the manipulation of in-game currency and its accumulation without suspicion; and the third is to use the stolen source code from servers of popular online games in order to deploy their own pirated servers.
More than 30 companies in the online gaming industry had been infected by the Winnti group, according to Kaspersky Lab, with the majority being software development companies producing online video games in South East Asia. However, online gaming companies located in Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus were also identified as victims of the Winnti group.
Kaspersky Lab's team of experts published a detailed research report that shows that the first incident that drew attention to the Winnti group's malicious activities occurred in the autumn of 2011, when a malicious Trojan was detected on a large number of end-user computers across the globe. The link between all of the infected computers is that that they were used to play a popular online game. Shortly after the incident, details emerged that the malicious programme which had infected the users' computers was part of a regular update from the gaming company's official server. Infected users and members of the gaming community suspected the computer game publisher was installing the malware to spy on its customers. However, it later became clear that the malicious program was installed on the players' computers by accident, and that the cybercriminals were actually targeting the computer game company itself.
In response, the computer game publisher that owned the servers which spread the Trojan to its users asked Kaspersky Lab to analyse the malicious programme. The Trojan turned out to be a DLL library compiled for a 64-bit Windows environment and used a properly signed malicious drive. It was a fully functionally Remote Administration Tool (RAT), which gives attackers the ability to control a victim's computer without the user's knowledge. The finding was significant as this Trojan was the first malicious program on a 64-bit version of Microsoft Windows 7 that had a valid digital signature.