Video game companies are again victims of the Winnti hacking team, which used new malware that researchers called PipeMon and a new method to achieve persistence.
PipeMon is a modular backdoor that was spotted earlier this year on servers belonging to several online multiplayer game developers (MMOs).
Winnti's activity has been around since 2011. Most victims come from the video game industry and software, but the team also targets organizations in the areas of healthcare and education.
The team is known for its supply chain attacks to millions of users using software such as Asus LiveUpdate, CCleaner or the financial sector (NetSarang).
Researchers at the cybersecurity company ESET found a new door to Winnti in February. Two variations of malwrae were found in servers Multiple multiplayer games (MMO) from South Korea and Taiwan.
The security company is aware of at least one case where the perpetrator managed to endanger it system of a victim. If they had penetrated successfully, Winnti could have installed malware in the video game.
In a report today, ESET says that the body of evidence uncovered in these attacks clearly "shows" Winnti. Despite the innovation of malware PipeMon, the backdoor was signed using a certificate belonging to a video game company that was attacked in 2018.
This confirmation is not alone. The hackers reused some command and control (C2) domains that were observed in others campaigns and a custom login stealer he had previously seen in other Winnti victims.
It remains active in the system
Of the two variants of PipeMon that were discovered, the researchers could only find one way to install and achieve persistence.
To make sure the malware remains active on systems, Winnti used Windows Printing Processors (DLLs) that convert spooled data from a "print job" to readable form from a print screen.
A malicious DLL loader crashes where the print processors are located and is registered as an alternative print processor. This is done by modifying one of the two registry values (typographical error in the registry key does not affect the installation):
The malware then restarts the print spooler service to load it malicious procedure. As the service starts each time the computer starts, persistence is achieved.
ESET notes that similar technique was observed with the DePriMon download program, but researchers believe that the way PipeMon works has not been done before.
According to research, PipeMon is a modular backdoor, where each element is a DLL with different functionality.
They are encrypted on the disk and hidden under the non-suspicious names you see below. Custom commands can load other modules to order.
ESET notes that the update for PipeMon was most likely written from scratch, although they observed the same code structure.
For the past decade, Winnti has been developing its arsenal of malicious tools and carrying out attacks against various targets. Her preference for toy companies and supply chain attacks are still notable in its most recent activity.