Winnti – a cyber espionage case for gaming industry

Pierluigi Paganini April 12, 2013

Another cyber espionage campaign has been discovered by Kaspersky Lab Team, I start to get the feeling that whatever is done online we cannot avoid being spied. What is singular this time is the sector hit by the attackers, the gaming industry, that using a malware signed with a valid digital certificate has been used to steal game community currency and source code.

What is concerning once again is that the group of hackers, named by Kaspersky team the Winnti gang, has been active since 2009 targeting more than 30 gaming companies and hitting various popular online games.

I wrote a book, Digital Virtual Currency and Bitcoin, on the complex world of virtual currency schema in which I describe the various currencies used within game environment such as “runes” or “gold”, precisely these virtual goods have been the subject of interest of cyber criminals who have the intention once stolen of converting them into money at the current rate.

The Winnti hackers targeted particular services with a special crafted malware that injected itself into the process and was able to conceal itself as well as change the game in order to collect game currency illegally.

The attackers elaborated a smart strategy, they used the source code stolen to discover vulnerabilities in the targeted games exploitable to collect in-game money, the hackers also used it to deploy their own pirated versions of gaming servers.

The victims were located mainly in Southeast Asia, the researchers that in those are being diffused first Trojan, the Plug X remote administration tool (RAT), designed to infect a 64-bit version of Windows signed with a valid certificate to elude defense mechanisms.

Kaspersky Lab experts identified a rootkit based on a DLL library compiled for a 64-bit Windows environment and signed with a legitimate certificate, the payload used by the attackers was the Plug X RAT used to gain remote control of infected machines.

The Winnti campaign appears still active and very articulated, the security researchers revealed that to date the criminals used more than a dozen certificate to sign malicious code.

Another interesting particular of the story is that some of the stolen certificates were also used in other attacks, such as the cyber espionage campaign that targeted Tibetan and Uyghur activists, this discovery suggests that the gang behind Winnti is linked to Chinese hackers responsible for the attacks or it has sold the certificates on the Chinese underground as confirmed by the following statements:

“Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China,”

According to Kaspersky Lab researchers, the attacks were conducted exactly for cyber espionage campaign against Tibetan and Uyghur activists, they probably started with a spear phishing email sent to gaming companies contained a malicious PDF attachment exploiting vulnerabilities in Adobe Reader.

It seems that attackers haven’t exploited zero-day vulnerabilities, they used malware just to gain access to servers hosting the information they targeted.

The investigation started when a game company requested the collaboration of Kaspersky team because a large number of its client was infected by a trojan. Various companies such as MGAME Corp, KOG and ESTsoft were victims of Winnti group, all these firms provide popular Massively Multiplayer Role Playing Games, considered vector infection, but the researchers concluded that the infections were an unintended side effect and that the attackers were targeting the gaming companies and not players.

Kaspersky said that the KOG certificate abused during the attacks was issued by VeriSign and has since been revoked.

Kaspersky experts revealed that it is currently collaborating with certificate authorities and principal on-line gaming companies to find more compromised servers and of course revoke any digital certificate illegally abused.

Malicious agents have been detected in Asia and also at companies in Europe, South America and the United States, according to security experts the malware was spread by game developers collaborating with colleagues or partners in the other countries.


KasperskyThreat post portal states:

“Stolen data was sent to command and control servers that manage bots hosted in South Korea, Russia, Japan and the U.S., used to infect gaming servers. In fact, a variety of public Internet hosts were used to store encrypted control commands.”

Who is behind the name Winnti?

Kaspersky Lab states in the report:

“We believe that the attackers that currently form Winnti group used to be members of Chinese underground hacking teams in the past,”. “It is most likely that they were attacking various entities including businesses and individuals as members of those groups, but united in Winnti group, they have started doing that routinely, systematically and under well-organized management.”

The considerations are mainly based on

  • Use of Chinese Simplified GBK coding in the resource section of malicious modules and Chinese text used in the modules’ report messages.
  • The discovery of a number of Chinese users’ profiles was linked to control messages posted on blogs and forums linked to the attack.

In Italy, we say that two clues are a proof … let’s wait for further revelations.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cyber Espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment