loader gif

Several video game companies found to be infected with malware used in ShadowHammer attack

Several video game companies found to be infected with malware used in ShadowHammer attack
  • The Operation ShadowHammer attack had affected ASUS laptops in March last year.
  • Innovative Extremist Co. Ltd. and Electronics Extreme Ltd. from Thailand, and Zepetto Co. from South Korea are the new victims.

Several video game companies have been found to be infected with malware in a similar manner as was done with ASUS computers. The Operation ShadowHammer attack had affected ASUS company and its customers in March last year.

The big picture - In the latest research, Kaspersky Lab have discovered that the ‘Operation ShadowHammer attack’ has infiltrated six different companies other than ASUS. This includes Innovative Extremist Co. Ltd. and Electronics Extreme Ltd. from Thailand and Zepetto Co. from South Korea. Additionally, the researchers have also detected the attack on an unknown conglomerate holding company and pharmaceutical company, both based in South Korea.

How was the attack executed - In the case of Electronics Extreme Company Limited, researchers found that the attackers had compromised ‘The War Z’ game servers on April 4, 2013, using the malware. Later, the source code of the game was probably stolen and released to the public.

Similarly, in the case of Innovative Extremist, poorly maintained development environment, leaked source code and vulnerable production servers were leveraged to infest the malware.

“All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized,” the researchers explained.

What are the characteristics of the malware - Once installed, the malware checks whether any unwanted process is running on the system or the system language ID is Simplified Chinese or Russian. It does not proceed further if any of the condition exists.

“It also checks for the presence of a mutex named Windows-{0753-6681-BD59-8819}, which is also a sign to stop the execution,” researchers noted.

After all the check process is complete, the malware gathers information about the system that includes Network adapter MAC address, System username, hostname and IP address, Windows version, CPU architecture, and screen resolution.

The malware uses HTTP to communicate with the C2 server of the attackers.

loader gif