Winnti Continues to Pursue Game Developers and Publishers Using FunnySwitch Backdoor

The China-based Winnti group (aka Barium) is back in action with new tricks and tools. This group has used a number of new malware in some recent attacks, according to Positive Technologies.

What Winnti is doing now?

Keeping its eye on Russian computer game developers such as Battlestate Games - a Unity3D game developer from St. Petersburg (Russia), the Winnti group has used various droppers, loaders, and injectors in several recent attacks.
  • Tracing back to the May 2020 attacks, researchers have revealed the use of LNK shortcuts, malicious RAR archive files, Zeplin and Cobalt Strike Beacon as the payloads, Crosswalk, and Metasploit injectors, ShadowPad, and Paranoid PlugX backdoors, and a new .NET backdoor dubbed FunnySwitch.
  • The FunnySwitch backdoor possesses unusual message relay functionality, system information collecting capabilities, support for multiple transport protocols for connecting to C2 servers, common features with Crosswalk, and some unused code that indicates that the backdoor is still under development.
  • Moreover, the Winnti group has used compromised digital certificates belonging to the Taiwanese company Zealot Digital to sign malicious files intended for future attacks and leveraged a vulnerability (CVE-2020-0796) in Microsoft Server Message Block (SMBv3) protocol.

Higaisa and Winnti

The researchers have noted a network infrastructure overlap between the Higaisa group and the Winnti group, although detailed analysis points to the Winnti group. One distinguishing characteristic of Winnti is the use of backdoors with support for multiple transport protocols for connecting to C2 servers, which makes it difficult to detect and track malicious traffic.

Recent attacks 

  • Recently, the Winnti group had targeted at least five companies in the online gambling sector by deploying ransomware on victim systems.
  • In December, Winnti, along with several other groups had launched supply chain attacks against Mongolian government agencies.

In for the long haul

While building its extensive malware arsenal, the Winnti group has been using both widely available tools and custom-developed ones. Winnti’s persuasion for game developers and publishers in Russia and elsewhere is especially dangerous due to the risk they pose to these organizations and potentially millions of end-users.

Cyware Publisher