New malware responsible for infecting MMO game developers and stealing third-party virtual currencies through a malicious application has been detected by the Slovak security company ESET. The unprecedented action was attributed to Winnti, a group of hackers that has been operating since 2009, responsible for hundreds of advanced attacks worldwide.
This time, a backdoor never seen before was used, nicknamed by the agency as PipeMon. To circumvent any defenses, fake Windows-like signature certificates were developed. It is assumed that this was possible after an incident reported by Nfinity Games in 2018, in which it was found the theft of such documents belonging to the developer.
PipeMon takes advantage of changes in the location of print processors, user-mode DLLs responsible for authorizing application actions, preventing their deactivation after reboots. With that, the malicious activities guaranteed its continuity.
Unknown damage extent
Little information was revealed about the case. The affected companies are known to include South Korean and Taiwanese developers with thousands of potentially affected MMO players. “There is at least one confirmed record, which may have led to a chain attack, allowing criminals to insert trojans into executables,” ESET said, raising suspicion of the group’s connection with the Chinese government.
According to the agency, such attacks would be nothing more than tests carried out to improve larger objectives. Using fraudulent certificates was only the last example of previous movements, and, considering the number of developers in the countries mentioned, there is no way to determine the length of the years.