Chinese hacking group backdoors products from three Asian gaming companies

A notorious Chinese cyber-espionage outfit known as the Winnti Group has breached the networks of two game makers and a gaming platform in Asia to include a backdoor trojan within their products.

Two of the compromised products no longer include the Chinese hackers’ backdoor, according to a report published earlier today by Slovak cyber-security firm ESET.

However, the third, a game named Infestation –produced by Thai developer Electronics Extreme– is still pushing updates and available for download in its backdoored version despite ESET’s efforts to notify the game developer through various channels since February.

While ESET didn’t wish to name the other two impacted products, an infected file hash included in the ESET report’s IOC (Indicators Of Compromise) section points the finger at the Garena gaming platform as the second impacted product.

The name of the third impacted product (a game) is still unknown.

“We have worked with one of the affected developers, and we respected their wish to stay anonymous and handle the situation on their end,” Léveillé told ZDNet in an email. “To be fair, we decided to simply avoid mentioning the names of publishers that already remediated the issue.”

As for the backdoor itself, Léveillé said that the Winnti Group modified the executable of the three products in a similar fashion.

The malicious code is included in the games’ main executable, and it is decrypted at runtime and launched into execution in the PC’s memory, while the original game/gaming platform runs as intended.

“This may suggest that the malefactor changed a build configuration rather than the source code itself,” Léveillé said.

The researcher also told ZDNet that the Winnti Group appears to have used the normal game updates as a means to push the backdoored versions to users, a reason why the infection wasn’t spotted right away and contained, reaching a large number of users.

“On the bright side, the C&C [command and control] servers were taken offline later and this limited the attack,” Léveillé told ZDNet.

This means that with the backdoor still being active in Electronics Extreme’s Infestation game, new users are getting infected to this day, but the backdoor won’t be able to contact its C&C servers to download additional malware on infected hosts.

“Given the popularity of the compromised application that is still being distributed by its developer, it wouldn’t be surprising if the number of victims is in the tens or hundreds of thousands,” ESET researcher Marc-Etienne M. Léveillé said today.

Based on ESET’s telemetry data, most of the victims are from Asian countries, which isn’t surprising since the games are popular in the region.

One particular oddity was the backdoor wouldn’t run on computers where the local language settings were either Chinese or Russia (some computers were infected in Russia because they used non-Russian language settings).

The backdoor’s role was to download a second stage trojan which ESET said it was a bulky DLL file. Researchers weren’t able to analyze and see what this second malware strain does, as the C&C server that controlled this second-stage payload wouldn’t return additional files to trigger the malware’s execution.

Because the original backdoor only supports four commands and its C&C servers are down, users are somewhat safe from this second malware strain, for the time being.

However, because Infestation game devs have failed to clean up their servers, the Winnti Group could deploy a new malicious game update with a new backdoor that communicates with a different C&C server and re-activate all previously infected users.

Infestation gamers are advised to reinstall their systems as soon as possible.

ESET isn’t sure why the Winnti Group is targeting gamers and what’s the endgame for this campaign, but the group has used compromised games in the past to distribute cyber-espionage malware. For example, it did so before in 2011.

The Winnti Group is a cyber-espionage outfit that is known to carry out such types of hacks –known as supply-chain attacks. A ProtectWise 401TRG 2018 report lists several past incidents, along with their last year’s predisposition for gathering code signing certificates from hacked software companies in the preparation of future supply-chain attacks.

Related cyber-security coverage: