(Photo by Christian Petersen/Getty Images)An infamous hacking group has been found preying on several gaming companies in Asia with at least one of attacks capable of spreading malware to users’ machines.
On Thursday, the security firm ESET published new research on how the “Winnti Group” has been successfully infiltrating game servers behind popular MMO (Massively Multiplayer Online) titles.
ESET refrained from naming the affected game companies, but said they were based in South Korea and Asia.
“The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players,” the antivirus vendor added.
In at least one attack, the hackers managed to hijack the gaming company’s “build orchestration server,” enabling them to plant malware inside the video game executables.
However, ESET has uncovered no evidence the hackers ever decided to booby-trap the program files.
In another attack, the hackers achieved the ability to manipulate the virtual currency inside a game for their own financial benefit.
ESET’s researchers uncovered the attacks when malware was discovered on the gaming companies’ servers.
How the malicious code, dubbed PipeMon, exactly managed to slip inside the systems isn’t entirely clear.
But the malware can masquerade as program names including setup.exe along with slack.exe, the executable for the workplace chat service Slack.
(Credit: ESET) The hackers also managed to steal and incorporate code-signing certificates from a legitimate gaming vendor into PipeMon.
As a result, the malware was able to bypass the security protections on Windows upon install.
(Credit: ESET) “Multiple indicators led us to attribute this campaign to the Winnti Group,” said ESET researcher Mathieu Tartare in a statement.
“Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns.
Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”
The good news is that ESET has contacted all the affected game companies and provided guidance on how to remove the malware.
The stolen code-signing certificates have also been revoked.
However, the Winnti Group will almost certainly strike again.
The hacking crew, which is possibly based in China, has a long history of infiltrating video game companies to steal source code, and code-signing certificates.
ESET also blames the Winnti Group for breaking into Avast's CCleaner and PC vendor Asus back in 2017 and 2019 in order to plant malware into their software programs used by millions of customers.
(Photo by Christian Petersen/Getty Images)An infamous hacking group has been found preying on several gaming companies in Asia with at least one of attacks capable of spreading malware to users’ machines.
On Thursday, the security firm ESET published new research on how the “Winnti Group” has been successfully infiltrating game servers behind popular MMO (Massively Multiplayer Online) titles.
ESET refrained from naming the affected game companies, but said they were based in South Korea and Asia.
“The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players,” the antivirus vendor added.
In at least one attack, the hackers managed to hijack the gaming company’s “build orchestration server,” enabling them to plant malware inside the video game executables.
However, ESET has uncovered no evidence the hackers ever decided to booby-trap the program files.
In another attack, the hackers achieved the ability to manipulate the virtual currency inside a game for their own financial benefit.
ESET’s researchers uncovered the attacks when malware was discovered on the gaming companies’ servers.
How the malicious code, dubbed PipeMon, exactly managed to slip inside the systems isn’t entirely clear.
But the malware can masquerade as program names including setup.exe along with slack.exe, the executable for the workplace chat service Slack.
(Credit: ESET) The hackers also managed to steal and incorporate code-signing certificates from a legitimate gaming vendor into PipeMon.
As a result, the malware was able to bypass the security protections on Windows upon install.
(Credit: ESET) “Multiple indicators led us to attribute this campaign to the Winnti Group,” said ESET researcher Mathieu Tartare in a statement.
“Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns.
Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”
The good news is that ESET has contacted all the affected game companies and provided guidance on how to remove the malware.
The stolen code-signing certificates have also been revoked.
However, the Winnti Group will almost certainly strike again.
The hacking crew, which is possibly based in China, has a long history of infiltrating video game companies to steal source code, and code-signing certificates.
ESET also blames the Winnti Group for breaking into Avast's CCleaner and PC vendor Asus back in 2017 and 2019 in order to plant malware into their software programs used by millions of customers.
