One of the most active and sophisticated groups in the hacking scene has compromised some MMO games – Massively Multiplayer Online – making it possible to distribute malware in a targeted manner in order to steal information or steal in-game currencies for the purpose of economic profit. ESET security researchers have launched the alarm, without however releasing particular details on the games and the developers involved and simply saying that the problem also affects several Taiwanese and South Korean realities of MMO titles that have a large following of audiences.
The attack is based on an unedited backdoor, which ESET has christened PipeMon. To get around defensive countermeasures, PipeMon installers use a legitimately signed certificate, but stolen from Nfinity Games in 2018. The backdoor manages to pass itself off as a Windows print processor in order to resist system reboots. By leveraging PipeMon it is possible to directly compromise the designated victim's system, then orchestrating a supply-chain attack for the purpose of compromising game executables, or compromising game servers to manipulate in-game currencies. It is not clear, however, which of these situations actually occurred and with what impact.
This is, however, an event that should not be underestimated, especially if we consider the "pedigree" of the actor behind this attack. ESET attributes the transaction to Winnti Group, a collective active since 2009 and which over the years has distinguished itself for various companies. In addition to targeting Tibetan and Uyghur activists, Chinese journalists and the Thai government, the group became the author of an operation that stole sensitive information from Google and 34 other companies in 2010, and more recently the cases of compromise of the distribution platform of the CCleaner utility and of the supply-chain attack that allowed to tamper with the ASUS Live Update system and install a backdoor on thousands of Asus PCs.
Although it all originates from a certificate stolen in 2018, the owner did not revoke it until ESET notified the abuse. Windows requires certificates to be signed before software drivers can access the operating system kernel. Certificates, which are issued by recognized and trusted entities and after the buyer proves to be a legitimate software provider, can help to bypass the antivirus and other end-point protection systems in general. The consequence that the certificates represent a gluttonous loot in the eyes of hackers.
It is not uncommon to witness delays in the revocation of software certificates, especially if compared to the TLS certificates used for websites. The latter must be published openly, and therefore easier to track and identify thefts. For code-signing certificates, on the other hand, there is no visibility of what certificates are currently in use, given that they can be found in executables present on countless hosts all over the world and cannot be collected by means of wide-ranging scans of the network. It makes it difficult for us to find out what compromised certificates are or can be, and in particular those that are exploited for targeted attacks.