ESET breaks down attacks targeting gamers and IT manufacturers
ESET researchers recently dissected the updated arsenal of the Winnti Group.
The group is known for its espionage capability and targeted attacks, although financial motivations cannot be excluded.
Already in March 2019, ESET researchers warned about Winnti’s new supply-chain attacks targeting video game players in Asia.
While the majority of the victims targeted were in Asia, there was also a small percentage of victims affected in Brazil, Peru, Turkey, and Russia.
Following this earlier publication, ESET research continued its investigation in two directions.
First, to explore the next stages delivered by this attack.
Second, to discover how organisations’ digital supply chains have been compromised to deliver malware in their applications.
“It is not an easy task. Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviours and code similarity to help us spot the needle,” says ESET researcher Marc-tienne Lveill.
“Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was,” he added.
The Winnti Group uses this packer in a backdoor dubbed PortReuse.
In collaboration with Censys, ESET performed an Internet-wide scan to try to identify one variant of the backdoor, and potential victims.
ESET researchers were able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse.
ESET also analysed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.
Interestingly, the researchers said they were quite surprised by the final stage they found in the recent supply-chain incident in games.
Lveill says, “This group is known for its espionage capability, not for mining cryptocurrencies using their botnet. Perhaps they use the virtual money they mine to finance their other operations.
“Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain.”
The research team made this inference after it was able to acquire the third and final stage of the supply-chain attack it described.
Once decrypted, the researchers found that the payload was a custom version of XMRig, a popular open-source cryptocurrency miner.