Security firm ESET investigators reveal that
hackers from the Winnti group, one of the most active since 2009, used a backdoor never
previously detected to infect game developers. The use of PipeMon was
successfully made it possible to send malware apps to players on a
title and steal in-game coins from players of another title.
PipeMon wears a Windows signing certificate
legitimate and that was stolen from Nfinity Games in 2018. The backdoor takes advantage of the location
of printer processors, in order to ‘survive’ even if the machine
restart, explains the ArsTechnica.
ESET has not identified the game creators affected,
only indicating that they are several programmers based in South Korea and in
Taiwan. Based on the sophistication of this attack, that of the 2018 attack, where he managed
the Nfinity certificate, and on the chosen targets, it is believed that members of the
group have any affiliation with the Chinese government.
Certificate signing is required for drivers to
software users can access the kernel, the most critical security component
operating systems, and helps to pass security protections, such as
antivirus or other mechanisms. The revocation of this certificate in question was only
requested after ESET revealed this failure.
Winnti hackers have been active since 2009 and will be
responsible for hundreds of computer attacks against Chinese journalists, activists
from Tibet or Uyghur, the government of Thailand and several technology organizations
important. In 2010, pirates managed to steal data from Google and other
34 companies. An initiative along the distribution chain resulted in the installation
a backdoor on more than 500,000 Asus computers.
“In at least one case, malware operators
managed to compromise a victim's system, which may have led to
attacks in the supply chain, allowing attackers to inject
trojans in the game executables (…) In another case, the game servers were
compromised, which may have allowed, for example, the manipulation of the
in-game currency system for financial gain ”, details ESET in
statement, explaining that it has yet to find evidence of another type of attack.
The Revealed flawed content used by hackers to attack game developers appears first in Vision.