Researchers from ESET have discovered a new malware, which the cyber security vendor has named PipeMon, used by infamous hacking group Winnti to target developers of Massively Multiplayer Online (MMO) games in Taiwan and South Korea.
Their games are available on various popular gaming platforms and have thousands of simultaneous players.
In at least one case, the malware operators compromised a victim’s build system, which could have led to a supply-chain attack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised, which could have allowed the attackers to, for example, manipulate in-game currencies for financial gain.
ESET contacted the affected companies and provided the necessary information to remediate the compromise.
“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the C&C domains used by PipeMon were used by Winnti malware in previous campaigns mentioned in our white paper on the Winnti Group arsenal. Besides, Winnti malware was also found in 2019 at some of the companies that were later compromised with PipeMon,” said Mathieu Tartare, Malware Researcher at ESET.
The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software ,industry, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and Winnti malware.