The prolific Chinese threat actor group, Winnti, has compromised the networks of three Asian gaming companies to deploy a backdoor trojan within their products. The three affected companies include two game maker companies and a gaming platform firm.
The big picture - In a detailed report, ESET researchers revealed that the threat actor group used the same malware and attack techniques to compromise the products of three companies. While the first two firms - game makers - no longer include the Chinese hackers’ backdoors, the third gaming platform firm continues to push fake updates that can download the backdoor trojan version.
The gaming platform firm that is under the scanner is a game named ‘Infestation’, produced by Thai developer Electronics Extreme.
How does the infection process work - According to Marc-Etienne M.Léveillé, a security researcher from ESET, the Winnti group modified the executables of the three products in a similar fashion. The malicious code is included in the games’ main executable and it is decrypted only at the runtime. Once the executables are decrypted, they are launched in the PC’s memory without hampering the functionality of the game/gaming platform.
ZDNet reported that the cybercriminal group used the ‘normal game updates’ trick to push the backdoored version on to the victims’ computers.
What actions were taken - Following the discovery, the game development companies - one of which is Garena gaming platform - were quick at taking action and immediately removed the C2 servers. However, the backdoor is still active in Electronics Extreme’s infestation game.
"Given the popularity of the compromised application that is still being distributed by its developer, it wouldn't be surprising if the number of victims is in the tens or hundreds of thousands," said the ESET researcher Léveillé, ZDNet reported.
Based on the analysis, it was found that most of the victims are from Asian countries.