Security experts from QuoIntelligence (QuoINT) firm reported that China-linked Winnti cyberespionage group targets South Korean video gaming company Gravity.
The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.
The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.
The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.
Now Winnti cyberspies have targeted South Korean video gaming company Gravity, which is known for the development of the popular multiplayer online role-playing game (MMORPG) Ragnarok Online.
“Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company.” reads the report published by QuoIntelligence. “The company is known for its Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online, which is also offered as a mobile application. As we have also reported in the past, the video game industry is one of the preferred targets of the Winnti Group, especially for those companies operating in South Korea and Taiwan.”
The malware sample employed in the attack resembled a Winnti dropper previously analyzed by ESET researcher that was submitted to a public online malware scanning service. The analysis of the configuration file of malware allowed the identification of the intended target.
ESET researchers reported multiple Winnti Group campaigns targeting the gaming industry, one of the C2 servers involved in a campaign tracked as ID GRA KR 0629 was also involved in the attack uncovered by QuoINT.
Anyway the report published by QuoINT doesn’t include further evidence to support the link between the two campaigns.
QuoINT also reported another attack carried out by the Winnti Group against a chemical company in Germany in January 2020.
The piece of malware employed in the attack was developed in 2015, it was the same used in the attack against Gravity that had the target’s name embedded in the code.
“Although the malware was likely used years ago, further analysis revealed a previously unreported C2 technique never attributed to any Winnti Group’s toolkits.” continues the report.
“The technique relies on a DNS Tunneling communication channel through a custom implementation of the iodine source code, an open-source software that enables the tunneling of IPv4 data through a DNS server. Additionally, we uncovered a previously unknown stolen digital certificate being used to digitally sign Winnti-related attack components, and the targeting of a previously-unreported South Korean video game company.”
In the attack on the German company, the malware run the dsefix.exe executable to bypass driver verification and install its own drivers. a vulnerable VirtualBox driver, and rootkit drivers. Experts pointed out that this technique doesn’t work on modern Windows (e.g. Windows 10), a circumstance that suggests that the malicious code was developed and used several years ago. Experts also highlighted the use of DNS tunneling for C2 communication.
“The Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack operations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits.” QuoINT concludes. “While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources,”
(SecurityAffairs – Winnti, hacking)