Winnti Group hits video gaming firms in Asia with PipeMon malware

PipeMon is a modular backdoor that mimics print processing software

Researchers from cyber security firm ESET have discovered a new modular backdoor being used by infamous hacking group Winnti to target video game developers in Asia.

In a new report published on Thursday, ESET researchers provided detailed information about the malware and hackers have been using it to target gaming firms.

While ESET researcher refrained from naming the affected companies, they said that most victims are based in South Korea, Taiwan and some other Asian countries. These firms are known for some highly popular MMO (Massively Multiplayer Online) titles currently available on various gaming platforms.

The researchers said Winnti Group has been using a new piece of malware, dubbed 'PipeMon', to infiltrate game servers.

PipeMon is a modular backdoor that mimics a print processing software. It has been signed off using Wemade IO certificate, which was likely stolen by hackers during an earlier campaign. PipeMon backdoor contains DLL modules that load on target device using a reflective loading technique.

The researchers said they found one instance in which hackers were able to infiltrate a firm's build orchestration server and take control of the victim's automated build systems.

However, no evidence was found of attackers being able to Trojanise video game executables.

In another case, Winnti hackers compromised a firm's game servers - an attack that would enable attackers to manipulate in-game currencies for financial gain.

Researchers said they have found multiple indicators that led them to attribute the campaign to the Winnti Group. For example, some command and control (C&C) domains used by PipeMon malware were same domains used by Winnti malware in previous campaigns.

Security experts believe that a number of APT groups currently operate under the Winnti umbrella. These include groups labelled Winnti, APT17, APT41, BARIUM, Blackfly, DeputyDog, LEAD, Axiom, ShadowPad and PassCV.

These groups have been observed to use similar strategies and techniques and, in some cases, they even shared parts of the same hacking infrastructure.

Winnti Group is thought to be responsible for some highly sophisticated cyber attacks against high-profile targets, including tech firms, Chinese journalists, the Government of Thailand, and activists fighting for Tibetan and Uyghur cause.

The group is also linked to cyber attack against South Korean gaming firm Gravity as well as other campaigns targeting game vendors in 2019.