Home / / Winnti Group targets video game developers: ESET

Winnti Group targets video game developers: ESET

The new modular backdoor PipeMon is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor

Winnti Group targets video game developers: ESET

ESET researchers have discovered a new modular backdoor used by the Winnti Group against several video game companies that develop MMO (massively multiplayer online) games. The malware, named PipeMon by ESET, targeted companies in South Korea and Taiwan. ESET was able to trace two different variants of PipeMon.

The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players.

In at least one case, the attackers compromised the company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to trojanize video game executables. “However, we do not have evidence this has occurred,” said Mathieu Tartare, Malware researcher at ESET.

In another case, the operators compromised the company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain. ESET contacted the affected companies and provided the necessary information and assistance to remediate the compromise.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020,” he added. 

The new modular backdoor PipeMon is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor. “This new implant shows that the attackers are actively developing new tools using multiple open source projects and don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware,” said Tartare.

Follow us to get the most comprehensive technology news in UAE delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.