Game Dev Under Supply-Chain Attack by Winnti Group

Delaware, USA – March 12, 2019 – Game development business has recently become the target of the notorious Chinese Winnti Group, ESET informs in their research. A gaming platform and two headline games have fallen the victims to the recent attack that compromised the networks and darted in a malicious payload. All three victims of Winnti Group came with the same backdoor code and infection mechanism, two of them do not longer distribute the malicious version, but the third one, Thai developer Electronics Extreme, is still distributing the version of the Infestation game that includes a backdoor. According to the researchers’ telemetry, most of the victims are located in Asia, and more than a half total in Thailand. Another peculiarity of the attack is that it doesn’t touch computers using Russian or Chinese as a system language.

The malicious code is embedded inside the main executable file. It is the first one to be executed after a victim launches the game unpacking and running a backdoor. The malware configuration code consists of fields identifying the command and control (C&C) server, campaign identifier, a variable determining the wait time before the execution, and the list of .exe files that if running will stop the malware execution. The second stage payload is masquerading to be a Windows service, but its prime objectives are not clear since the C&C server is out of access.

Supply-chain attacks are still one of the most hazardous threats for businesses leading to steep losses and downtimes, the most destructive attack of that kind was NotPetya outbreak, which cost organizations $10 billion in total damages. To access the infrastructure, attackers often compromise VPN connections. You can leverage the VPN Security Monitor rule pack to detects typical signs of abuse or unauthorized access to the service: