Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.
Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.
In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform.
Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected “tens or hundreds of thousands” of people. Over half of the victims—55%—were located in Thailand.
Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications.
“Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle,” says ESET researcher Marc-Étienne Léveillé.
The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims.
Léveillé said: “Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was.”
With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.
Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.
Léveillé said: “Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain.”