APT Group Winnti Has Games Developers in its Crosshairs

According to security firm QuoIntelligence, popular South Korean games developer Gravity was the very likely target of APT41 campaign, the group is also known as Winnti, Barium, and BlackFly. The South Korean game's developer is best known for releasing the popular mass multiplayer game Ragnarok Online. At a time when the world is struggling to cope with the COVID-19 pandemic, there appears to be a trend of advanced persistent threat (APT) groups ramping up activity and campaigns seemingly to take advantage of people’s attention being elsewhere.

Details of the attack were recently published in a report by QuoIntelligence. The report goes into great detail about the malware strains used in the attack which seem to be highly developed strains developed in 2015 by the APT group. The group itself began active campaigns in 2012 and targets a variety of industries, often the targets are related closely to industries determined by the Chinese government to be central to the nation’s economic development plans.

In discovering the campaign security researchers noticed a malware sample uploaded to a public virus scanner from a German location, which after some analysis was determined to have been used in an attack against an unnamed German chemical company.

winnti targeting gravity

The same malware sample was then linked to the above-mentioned games development company. The malware discovered has been called the “Winnti Dropper” which acts as the first payload to infect the targets device and then allow for the dropping of other malware strains onto the device.

At the time of writing Gravity has not released a statement either to the press or the public as to whether the incident took place let alone if the incident was successful or not. The report by QuoIntelligence does provide sufficient evidence that points to the games developer been the target. Researchers noted that.

“We were able to extract the malware's configuration file and identify the intended target. In this case, the following string was included within the extracted configuration: 0x1A0: GRAVITY…Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company. The company is known for its Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online, which is also offered as a mobile application. As we have also reported in the past, the video game industry is one of the preferred targets of the Winnti Group, especially for those companies operating in South Korea and Taiwan. Interestingly, ESET researchers, while reporting on multiple Winnti Group campaigns targeting the video game industry, listed in their report a C2 server having a Campaign ID GRA KR 0629.”

Winnti’s Known History

While confirmation of whether the games developer was targeted is needed to say for certain the APT group is known to target game developers. In April 2013, Kaspersky published a report detailing how the group used digital certificates in all likelihood stolen from another South Korean games developer to further attack campaigns. In a number of campaigns up until the date of the report's publication an estimated 35 game development companies, generally specializing in online games, had been targeted. The companies predominantly from Asia, but other victims were found in Europe as well as North and South America, were deemed to have been targeted for financial reasons. Kaspersky researchers deemed that the group could profit from the attacks in three ways. Firstly, profit could be made via stealing in-game currency and converting it to fiat or virtual currency. Secondly, theft of source code to look for vulnerabilities within the code and infrastructure. Lastly, the theft of source code for the purposes of deploying pirate servers. In summarising the group’s activities and tactics, researchers concluded that,

“Our research revealed long-term oriented large scale cyber-espionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, the current hacking group has distinguishable features that make it stand out among others:

- Massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates;
- Usage of kernel-level 64-bit signed rootkit;
- Abusing great variety of public Internet resources to store control commands for the malware in an
encrypted form;
- Sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and
Tibetan activists);
- Stealing source code and other intellectual property of software developers in the online gaming industry.”

Kaspersky’s analysis is echoed in other security firm’s analysis of the group and subsequent campaign. In 2019 Eset published a report detailing a campaign which created at least three victims via a supply-chain attack. Two incidents involved online games, while the third involved an online platform, with all three been located in Asia. All three were victims to the same backdoor trojan malware which has been linked to Winnti. In the same year, FireEye published a report detailing yet more attacks on the gaming industry as a whole. Researchers concluded that the APT’s attacks on the gaming industry were not conducted in the interests of cyber espionage and their state-sponsored mandate. Rather it was concluded that attacks on the gaming industry are done in the hacker’s spare time and generally for-profit associated with game currency. Much of this conclusion rests on the fact that the companies are generally targeted and compromised outside of regular working hours.

Busy First Quarter

As the world reaches the end of 2020’s first quarter it would seem that the group has had a busy first quarter. Towards the end of March FireEye published yet another report detailing another campaign. This one far broader in scope and more in line with the group’s cyber-espionage mandate rather than targeting the games industry. Between January 20 and March 11, researchers discovered that Winnti attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Many of these targets were located in Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and the USA. Not only was the campaign to span vast geographical areas but also vast economic sectors as well. Victims were traced to Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility companies. Researchers noted that,

“It is notable that we have only seen these exploitation attempts to leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full-featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.”

The entire campaign would amount to one of the largest campaigns in terms of scope conducted by a Chinese linked APT group in recent memory. As mentioned above the campaign primarily targeted vulnerabilities to gain access to victim’s devices. Previously the group primarily focussed on spam and spear-phishing campaigns to gain an initial foothold onto a network. The success of the campaign was easily preventable as many of the vulnerable products had received patches and the other mitigation advice. The entire campaign was an important reminder that companies need to be incredibly careful in choosing what data to expose online. Sensitive business applications should hardly ever, preferably never, be exposed to the internet. Further, the attack campaign serves as a reminder as to why hardware and software should always be kept up to date. If state-sponsored groups are utilizing publicly disclosed vulnerabilities it is a safe bet that other more financially motivated groups will likely look to exploit the vulnerabilities in the future.

Winnti presents researchers with an interesting case study into the nature of state-sponsored APT groups. Any analysis of the group presents researchers with the difficult task of determining where the state-sponsored activity begins and the group's “extra-curricular” activity begins. In reality, these to spheres of operations will overlap as tools used for one will work equally well for the other. This also presents a unique problem for those looking to defend networks and generating rules for detection and remediation is made harder given the incredibly wide scope of targets the group actively goes after.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal