ESET researchers have discovered a new modular backdoor used by the Winnti Group against several video game companies that develop MMO (massively multiplayer online) games. The malware, named PipeMon by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms, and have thousands of simultaneous players.
In at least one case, the attackers compromised the company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to trojanize video game executables. “However, we do not have evidence this has occurred,” says Mathieu Tartare, Malware researcher at ESET. In another case, the operators compromised the company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain. ESET contacted the affected companies and provided the necessary information and assistance to remediate the compromise.
“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns. Furthermore, in 2019 other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020,” says Mathieu Tartare, ESET researcher monitoring the Winnti Group. There are other notable similarities that researchers explore in the blogpost.
The new modular backdoor PipeMon is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor. “This new implant shows that the attackers are actively developing new tools using multiple open source projects and don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware,” adds Tartare. ESET was able to trace two different variants of PipeMon.