Massive multiplayer games developers targeted by Winnti group
the affected businesses, of which there are at least 30, are mostly based in South East Asia but with some in the US and elsewhere. Most are massively multiplayer online games developers, but the affected companies have opted to stay anonymous.
At the heart of the attacks lie digital certificates, supposed to prevent attacks by proving the legitimacy of code and its provenance. The Winnti hacking group has pilfered over 1000 digital certificates from developers in order to spread their malware over the last year and a half.
Kaspersky started tracking the attackers in 2011 when their malware was accidentally sent out by a games company as an update, having been signed with a genuine certificate. Users are likely to download malware masquerading as updates if they are signed with what appears to be a legitimate certificate.
Vitaly Kamluk, researcher from Kaspersky Lab, said acquiring such certificates was as useful for hackers as uncovering zero-day vulnerabilities, flaws that the software makers are unaware of and have not patched.
Certificates were also being sold on the underground market, as the Winnti group sought to make as much money as possible from their campaign. It’s likely they were selling for tens of thousands of dollars.
The attackers used spear phishing tactics on targeted companies, sending emails with links to malware signed with stolen certificates. Kamluk said he hadn’t seen such tactics used on such a significant scale before.
It does not appear any of the best-known games companies were involved, although Kaspersky said it was possible it simply did not know about infections at larger firms. Kamluk noted that a recent attack on Ubisoft, which allowed hackers to download games without paying, including the unreleased Far Cry 3: Blood Dragon, was not carried out by the Winnti collective.
The campaign is ongoing, but there may be hope in the law enforcement effort to shut the criminal operation down. The attackers have left trails on the public Internet that could help identify them.
“They had created various profiles on blogging sites and some forums, almost all of which are Chinese,” Kamluk told TechWeekEurope. Further Chinese links were seen in the malware code, where there were Chinese characters in the strings, and in the command and control infrastructure domains.
However, Kaspersky has found it difficult to contact Chinese law enforcement, meaning little can be done as it stands. “We don’t have any good connections with Chinese police, otherwise we would have probably passed all this information on for them to check and maybe investigate,” Kamluk added.
“This is one reason why we made the research public… maybe the Chinese police will see this and do their own checks.”
Kamluk is unsure exactly how the attackers are making their money, although suspects “shady vendors” might be buying stolen source code to create “shadow versions” of games.
“We have seen their interest in how the infrastructure is organised in the attacked companies, looking for several configurations, such as what type of software they’re running. This is not just curiosity. They were probably doing this to get a real description of the production environment, for someone who wants to create a clone.”
They could also be uncovering vulnerabilities in the code to sell on or exploit, or even to produce fake virtual currency to be sold for real money to gamers.
It’s unlikely this is a state sponsored attack, Kamluk said. China has been blamed for numerous cyber espionage campaigns in recent months, including hits on the New York Times and other US media outlets.
As for the malware itself, it’s a remote administration tool (RAT). It’s believed to be the first malicious program to run on a 64-bit version of Microsoft Windows with a valid digital signature.
What do you know about Internet security? Find out with our quiz!