Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry

Pierluigi Paganini May 22, 2020

The Winnti hacking group continues to target gaming industry, recently it used a new malware named PipeMon and a new method to achieve persistence.

Winnti hacking group is using a new malware dubbed PipeMon and a novel method to achieve persistence in attacks aimed at video game companies.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

PipeMon is a modular backdoor that was spotted by ESET researchers earlier this year on servers belonging to several developers of massively multiplayer online (MMO) games from South Korea and Taiwan. Each component of the backdoor is implemented by a DLL.

“In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games.” reads the report published by the company. “Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.”

winnti backdoor gaming

In one case analyzed by the researchers, the hackers compromised a victim’s build system, then they have planted malware inside the video game executable. In another case, the Winnti group compromised the game servers were compromised, which could have allowed the attackers to conduct several malicious actions, including the manipulation of in-game currencies for financial gain.

Experts noticed that the PipeMon backdoor was signed with a certificate belonging to a video game company that was already hacked by Winnti in 2018.

Researchers also reported that the threat actors reused some C2 domains involved in other campaigns and used a custom login stealer that was previously associated with Winnti operations.

The experts discovered two PipeMon variants, but they were able to describe the infection process and how it has achieved persistence only for one of them.

The first stage of the PipeMon backdoor consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.

The hackers achieved persistence by using the Windows print processors (DLLs). A malicious DLL‌ loader drops where the print processors reside and registered as an alternative print processor by modifying one of the two registry values:

HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = “EntAppsvc.dll”

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe) to load the malware.

Since the service starts every time the computer reboot, the attackers have achieved persistence.

“After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.” continues the report.

“This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.”

PipeMon modules are DLLs exporting a function called IntelLoader and are loaded using a reflective loading technique.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is stored in the Print Processors directory. Experts noticed that modules are stored encrypted on disk at the same location with inoffensive-looking names.

Experts also spotted an updated version of PipeMon for which they were able to retrieve the first stage. Its architecture is highly similar to the original variant, but its code was rewritten from scratch.

“Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.” concludes ESET.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Winnti, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment