Jump to content
thehat

Winnti. More than just a game

Recommended Posts

Posted

Winnti. More than just a game

Table of Contents

In the beginning was ...

Digital Certificates

Victims

Winnti C&Cs Structure

Known Malware

The commercial interest

Source of attacks

Conclusions

Kaspersky Lab began this ongoing research in the autumn of 2011. The subject is a series of targeted attacks against private companies around the world.

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named "Winnti".

According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry. The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors. In addition, they are very interested in how network infrastructure (including the production of gaming servers) is set up, and new developments such as conceptual ideas, design and more.

We weren't the first to focus on this group and investigate their attacks. In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary's customers – an American video game company.

In the Beginning Was …

In the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server. Some even suspected that the publisher itself was spying on players. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games.

The computer game publisher whose servers spread the Trojan asked Kaspersky Lab to analyze the malicious program that was found on its update server. It turned out to be a DLL library compiled for a 64-bit Windows environment and even had a properly signed malicious driver.

The malicious DLL landed on gamers’ computers running under either 32-bit or 64-bit operating systems. It couldn’t start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge or consent in 64-bit environments, though no such accidental launches have been detected.

The DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave cybercriminals the ability to control the victim computer without the user’s knowledge.

The malicious module turned out to be the first time we saw Trojan applications for the 64-bit version of Microsoft Windows with a valid digital signature. We had seen similar cases before, but all previous incidents where digital signatures were abused affected only 32-bit applications.

At an early stage of our research, we identified a fair number of similar backdoors, both 32-bit and 64-bit, in our collection of malware samples that were detected under various verdicts. We grouped them together into a separate family. Symantec appears to be the first to name these malicious programs; we kept Symantec’s name – Winnti – in the name of the malware family we created: Backdoor.Win32(Win64).Winnti. As for the people behind these attacks involving this remote administration tool, we ended up calling them “the Winnti group”.

Interestingly, the digital signature belonged to another video game vendor - a private company known as KOG, based in South Korea. This company’s main business was MMRPG games, exactly the same area as the first victim.

We contacted KOG, whose certificate was used to sign the malicious software, and notified Verisign, which issued the certificate for KOG. As a result the certificate was revoked.

Digital Certificates

When we discovered the first stolen digital certificate we didn't realize that stealing the certificates and signing malware for future attacks against other targets was the preferred method of this group. Over the next 18 months we discovered more than a dozen similar compromised digital certificates.

Moreover, we found that those digital certificates seemed to have been used in attacks organized by other hacking groups, presumably coming from China.

For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate of from the gaming company YNK Japan Inc.

A digital certificate of the same company was used recently (March 2013) in Trojans deployed against Tibetan and Uyghur activists. In fact, this story dates back to 2011. We highly recommend this Norman blogpost about a similar incident.

At the same time, in March 2013, Uyghur activists were targeted by other malware, which was digitally signed by another gaming company called MGAME Corp.

We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China.

Below is the list of known compromised companies and digital certificates used by the Winnti group in different campaigns:

Company Serial number Country

ESTsoft Corp 30 d3 fe 26 59 1d 8e ac 8c 30 66 7a c4 99 9b d7 South Korea

Kog Co., Ltd. 66 e3 f0 b4 45 9f 15 ac 7f 2a 2b 44 99 0d d7 09 South Korea

LivePlex Corp 1c aa 0d 0d ad f3 2a 24 04 a7 51 95 ae 47 82 0a South Korea/ Philippines

MGAME Corp 4e eb 08 05 55 f1 ab f7 09 bb a9 ca e3 2f 13 cd South Korea

Rosso Index KK 01 00 00 00 00 01 29 7d ba 69 dd Japan

Sesisoft 61 3e 2f a1 4e 32 3c 69 ee 3e 72 0c 27 af e4 ce South Korea

Wemade 61 00 39 d6 34 9e e5 31 e4 ca a3 a6 5d 10 0c 7d Japan/South Korea/US

YNK Japan 67 24 34 0d db c7 25 2f 7f b7 14 b8 12 a5 c0 4d Japan

Guangzhou YuanLuo 0b 72 79 06 8b eb 15 ff e8 06 0d 2c 56 15 3c 35 China

Fantasy Technology Corp 75 82 f3 34 85 aa 26 4d e0 3b 2b df 74 e0 bf 32 China

Neowiz 5c 2f 97 a3 1a bc 32 b0 8c ac 01 00 59 8f 32 f6 South Korea

Victims

It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.

It’s difficult to name all the victims of the Winnti team. Judging by the information that we have at our disposal – namely the tags within malicious programs, the names of the C&C domains, the companies whose digital certificates were stolen to sign malware, and the countries where detection notifications came from – we can say that at least 35 companies have been infected by Winnti malware at some time.

Countries where the affected companies are located:

Asia Europa South America North America

Vietnam Belarus Brazil USA

India Germany Peru

Indonesia Russia

China

Taiwan

Thailand

Phillipines

S. Korea

Japan

This data demonstrates that the Winnti team is targeting gaming companies located in various parts of the world, albeit with a strong focus on SE Asia.

Countries where gaming companies have been affected

Such geographic diversity is hardly surprising. Often, gaming companies (both publishers and developers) are international, having representatives and offices worldwide. Also, it is common practice for gaming companies from various regions to cooperate. The developers of a game may be located in a different country from its publisher. When a game later reaches markets in regions away from its initial ‘home’, it is often localized and published by other publishers. In the course of this cooperation, the partner companies often grant each other access to network resources to exchange data associated with the gaming content, including distribution kits, gaming resources, resource assembly kits, etc. If one company in the network gets infected, it’s easy for the cybercriminals to spread the infection throughout the partnership chain.

Winnti C&Cs Structure

During the investigation, we identified over a hundred malicious programs, every single one compiled to attack a particular company. Typically, separate C&C domains were assigned to each targeted company. Virtually all the C&C domains were arranged as follows: a second-level domain was created without a DNS A-record, i.e., there was no IP address assigned to it.

In case there was an A-record, the assigned IP address was typically 127.0.0.1. It is also noteworthy that some of the second-level domains that the cybercriminals created for their C&C had very similar names to the domain hosting the site of a certain real gaming company. And the malicious users’ domain was resolved to the same IP address which the site of the real gaming company used. In any case, the third-level domains resolved to IP addresses assigned to the attackers’ actual C&C servers.

C&C domain naming and resolution

Sometimes the Winnti team registered their C&C units with public hosts. Judging by the samples identified, these C&C centers were subdomains of such domains as 6600.org, 8866.org, 9966.org or ddns.net.

From the names of the C&C domains or subdomains, the attack targets or countries of residence could be guessed, as in:

ru.gcgame.info

kr.zzsoft.info

jp.xxoo.co

us.nhntech.com

fs.nhntech.com

as.cjinternet.us

The subdomains “ru”, “kr”, ”jp” and “us” most probably mean that these C&C servers manage bots hosted on the computers of companies located in Russia, South Korea, Japan and the US respectively, while “fs” and “as” are acronyms for the names of the companies being attacked.

Sometimes Winnti’s malicious programs had a local IP address, such as 192.168.1.136, specified in their settings for the C&C. This could mean that at some point of time there was an infected computer that did not have a connection to the Internet, but the cybercriminals needed control over it (it may have been infected while malware was spread via a corporate network). In this case, the cybercriminals deployed a dedicated local C&C server on another compromised computer within the same local network which did have an Internet connection; via that C&C, the first victim computer could be controlled. System administrators often try to isolate critical computers from the outside world. This decreases the probability of haphazard infection, but, apparently, does not always help in a targeted attack.

In the Winnti samples that were detected and analyzed, we found 36 unique C&C domains. Most probably, this is only a small portion of all existing Winnti C&C domains, as we only managed to obtain some of the samples from this malware family. This is hardly surprising since these malicious programs are used to execute targeted attacks, so no information is available about many instances of infection; for this reason, we have no way of obtaining samples of the malware used in these undisclosed attacks.

Domain names used in the attacks we discovered:

newpic.dyndns.tv lp.zzsoft.info ru.gcgame.info

update.ddns.net lp.gasoft.us kr.jcrsoft.com

nd.jcrsoft.com eya.jcrsoft.com wm.ibm-support.net

cc.nexoncorp.us ftpd.9966.org fs.nhntech.com

kr.zzsoft.info kr.xxoo.co docs.nhnclass.com

as.cjinternet.us wi.gcgame.info rh.jcrsoft.com

ca.zzsoft.info tcp.nhntech.com wm.nhntech.com

sn.jcrsoft.com ka.jcrsoft.com wm.myxxoo.com

lp.apanku.com my.zzsoft.info ka.zzsoft.info

sshd.8866.org jp.jcrsoft.com ad.jcrsoft.com

ftpd.6600.org su.cjinternet.us my.gasoft.us

tcpiah.googleclick.net vn.gcgame.info

rss.6600.org ap.nhntech.com

Knowing the 2nd level domains used by Winnti, we brute forced through all 3rd level subdomains up to 4 symbols long, and identified those that have the IP addresses of real servers assigned to them. Having searched through subdomains for a total of 12 2nd level domains, we identified 227 “live” 3rd level domains. Many of them are C&C servers for Winnti-class malware that have hitherto remained unidentified.

Analyzing the WHOIS data for the 12 2nd level domains, we found the following list of email addresses used for registration:

evilsex@gmail.com

jslee.jcr@gmail.com

whoismydns@gmail.com

googl3@live.com

wzcc@cnkker.com

apanku2009@gmail.com

For some of these domains, registration data proved to be the same as those for the domain google.com:

Registrant: Google Inc.

1600 Amphitheatre Parkwa

Mountain Vie, California 94043

United States

+1.6503300100

Judging by the domain registration data, the Winnti team started their criminal activities at least in 2007. Their early domains were involved in spreading rogue antiviruses (FakeAV). From 2009 onwards, domains began to emerge hosting C&C servers for bots used to infect gaming companies. Apparently, the cybercriminals graduated to relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010.

Known Malware

The attackers’ favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. This incident and our investigation is described in detail here.

In addition to that, we have observed the use of a popular backdoor known as PlugX, which is believed to have Chinese origins. Previously, this had only been used in attacks against Tibetan activists.

The Commercial Interest

As has been stated above, APTs can target any commercial company if cybercriminals find a way to make a profit from the attack.

So which methods do cybercriminals use to generate illicit earnings from attacks on gaming companies?

Based on the available information, we have singled out three main monetization schemes that could be used by the Winnti team.

The unfair accumulation of in-game currency/“gold” in online games and the conversion of virtual funds into real money.

Theft of source code from the online games server to search for vulnerabilities in games – often linked to point 1.

Theft of source code from the server part of popular online games to further deploy pirate servers.

Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes. The company concerned told us that the attackers’ aim was to acquire gaming “gold” illegally.

Malicious activity like this has an adverse impact on the game itself, tilting the balance in favor of cheats. But any changes the Winnti team introduces into the game experience are unlikely to be very noticeable. After all, maintaining a skillful balance is the main attribute of online games! Users will simply stop playing if they feel that other players are using non-standard methods to create an advantage beyond normal gameplay or if the game loses its intrinsic competitiveness due to resources or artifacts appearing in the game without the developers’ knowledge. At the same time the attackers are keen for the game to remain popular; otherwise, they would be unable to effectively turn all the time and effort of infecting a gaming company into financial gain.

Members of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves.

Source of Attacks

So, who is behind Winnti? While analyzing the malicious files that we detected during our investigation we found some details which may cast some light on the source of the attacks.

As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine. This code searches for HTML, MS Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files (.txt) on the hard drive.

Debugging lines were found in ff._exe_ that possibly point to the nationality of the cybercriminals. They were not immediately noticeable because they looked like this in the editor:

However, during a detailed analysis it emerged that the text is in Chinese Simplified GBK coding. This is what these lines look in Chinese:

Below is a machine translation of this text into English:

Not identify the type of file system

Below is a translation of the text by interpreter

Open the volume failed

Failed to get the file system type

Failed to read volume

Volumes do not open or open failed

Navigate to the root directory of the error

Error memory read pointer

Memory is too small

File does not exist

Failed to get the file mft index sector

Access to file data fail

Volume and open volumes are not the same

The same volume and open volume

In addition, cybercriminals used the AheadLib program to create malicious libraries (for details, see the second part of the article). This is a program with a Chinese interface.

Chinese text was also found in one of the components of the malicious program CmdPlus.dll plug-in:

Translation: The process is complete!!

It would appear that the attackers can at least speak Chinese. However, not everything is so clear cut: because the file transfer plug-in has not been implemented entirely safely, a command which includes the attackers’ local path (where the file comes from and where it is saved to) arrives during the process of downloading/uploading files on the infected system. While monitoring the cybercriminals’ activity on the infected machine, we noticed they uploaded the certificate they found in the infected system, and the network traffic reflected the local path indicating the place where they saved the file on their computer:

These characters appear to be Korean, meaning “desktop”. This means the attackers were working on a Korean Windows operating system. Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals.

Conclusions

Our research revealed long-term oriented large scale cyberespionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, current hacking group has distinguishable features that make it stand out among others:

massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates;

usage of kernel level 64-bit signed rootkit;

abusing great variety of public Internet resources to store control commands for the malware in an encrypted form;

sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and Tibetan activists);

stealing source codes and other intellectual property of software developers in online gaming industry.

The malicious program which we call “Winnti” has evolved significantly since it first emerged; however we classify all its variants in two main generations: 1.x and 2.x.

We have published the technical description of the first generation of Winnti in a separate article .

The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF).

In addition, we discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins. This backdoor had previously been seen almost exclusively in attacks targeting Tibetan activists.

Read further

Sursa: https://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game

Posted
Winnti. More than just a game

Table of Contents

In the beginning was ...

Digital Certificates

Victims

Winnti C&Cs Structure

Known Malware

The commercial interest

Source of attacks

Conclusions

Kaspersky Lab began this ongoing research in the autumn of 2011. The subject is a series of targeted attacks against private companies around the world.

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named "Winnti".

According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry. The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors. In addition, they are very interested in how network infrastructure (including the production of gaming servers) is set up, and new developments such as conceptual ideas, design and more.

We weren't the first to focus on this group and investigate their attacks. In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary's customers – an American video game company.

In the Beginning Was …

In the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server. Some even suspected that the publisher itself was spying on players. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games.

The computer game publisher whose servers spread the Trojan asked Kaspersky Lab to analyze the malicious program that was found on its update server. It turned out to be a DLL library compiled for a 64-bit Windows environment and even had a properly signed malicious driver.

The malicious DLL landed on gamers’ computers running under either 32-bit or 64-bit operating systems. It couldn’t start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge or consent in 64-bit environments, though no such accidental launches have been detected.

The DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave cybercriminals the ability to control the victim computer without the user’s knowledge.

The malicious module turned out to be the first time we saw Trojan applications for the 64-bit version of Microsoft Windows with a valid digital signature. We had seen similar cases before, but all previous incidents where digital signatures were abused affected only 32-bit applications.

At an early stage of our research, we identified a fair number of similar backdoors, both 32-bit and 64-bit, in our collection of malware samples that were detected under various verdicts. We grouped them together into a separate family. Symantec appears to be the first to name these malicious programs; we kept Symantec’s name – Winnti – in the name of the malware family we created: Backdoor.Win32(Win64).Winnti. As for the people behind these attacks involving this remote administration tool, we ended up calling them “the Winnti group”.

Interestingly, the digital signature belonged to another video game vendor - a private company known as KOG, based in South Korea. This company’s main business was MMRPG games, exactly the same area as the first victim.

We contacted KOG, whose certificate was used to sign the malicious software, and notified Verisign, which issued the certificate for KOG. As a result the certificate was revoked.

Digital Certificates

When we discovered the first stolen digital certificate we didn't realize that stealing the certificates and signing malware for future attacks against other targets was the preferred method of this group. Over the next 18 months we discovered more than a dozen similar compromised digital certificates.

Moreover, we found that those digital certificates seemed to have been used in attacks organized by other hacking groups, presumably coming from China.

For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate of from the gaming company YNK Japan Inc.

A digital certificate of the same company was used recently (March 2013) in Trojans deployed against Tibetan and Uyghur activists. In fact, this story dates back to 2011. We highly recommend this Norman blogpost about a similar incident.

At the same time, in March 2013, Uyghur activists were targeted by other malware, which was digitally signed by another gaming company called MGAME Corp.

We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China.

Below is the list of known compromised companies and digital certificates used by the Winnti group in different campaigns:

Company Serial number Country

ESTsoft Corp 30 d3 fe 26 59 1d 8e ac 8c 30 66 7a c4 99 9b d7 South Korea

Kog Co., Ltd. 66 e3 f0 b4 45 9f 15 ac 7f 2a 2b 44 99 0d d7 09 South Korea

LivePlex Corp 1c aa 0d 0d ad f3 2a 24 04 a7 51 95 ae 47 82 0a South Korea/ Philippines

MGAME Corp 4e eb 08 05 55 f1 ab f7 09 bb a9 ca e3 2f 13 cd South Korea

Rosso Index KK 01 00 00 00 00 01 29 7d ba 69 dd Japan

Sesisoft 61 3e 2f a1 4e 32 3c 69 ee 3e 72 0c 27 af e4 ce South Korea

Wemade 61 00 39 d6 34 9e e5 31 e4 ca a3 a6 5d 10 0c 7d Japan/South Korea/US

YNK Japan 67 24 34 0d db c7 25 2f 7f b7 14 b8 12 a5 c0 4d Japan

Guangzhou YuanLuo 0b 72 79 06 8b eb 15 ff e8 06 0d 2c 56 15 3c 35 China

Fantasy Technology Corp 75 82 f3 34 85 aa 26 4d e0 3b 2b df 74 e0 bf 32 China

Neowiz 5c 2f 97 a3 1a bc 32 b0 8c ac 01 00 59 8f 32 f6 South Korea

Victims

It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.

It’s difficult to name all the victims of the Winnti team. Judging by the information that we have at our disposal – namely the tags within malicious programs, the names of the C&C domains, the companies whose digital certificates were stolen to sign malware, and the countries where detection notifications came from – we can say that at least 35 companies have been infected by Winnti malware at some time.

Countries where the affected companies are located:

Asia Europa South America North America

Vietnam Belarus Brazil USA

India Germany Peru

Indonesia Russia

China

Taiwan

Thailand

Phillipines

S. Korea

Japan

This data demonstrates that the Winnti team is targeting gaming companies located in various parts of the world, albeit with a strong focus on SE Asia.

Countries where gaming companies have been affected

Such geographic diversity is hardly surprising. Often, gaming companies (both publishers and developers) are international, having representatives and offices worldwide. Also, it is common practice for gaming companies from various regions to cooperate. The developers of a game may be located in a different country from its publisher. When a game later reaches markets in regions away from its initial ‘home’, it is often localized and published by other publishers. In the course of this cooperation, the partner companies often grant each other access to network resources to exchange data associated with the gaming content, including distribution kits, gaming resources, resource assembly kits, etc. If one company in the network gets infected, it’s easy for the cybercriminals to spread the infection throughout the partnership chain.

Winnti C&Cs Structure

During the investigation, we identified over a hundred malicious programs, every single one compiled to attack a particular company. Typically, separate C&C domains were assigned to each targeted company. Virtually all the C&C domains were arranged as follows: a second-level domain was created without a DNS A-record, i.e., there was no IP address assigned to it.

In case there was an A-record, the assigned IP address was typically 127.0.0.1. It is also noteworthy that some of the second-level domains that the cybercriminals created for their C&C had very similar names to the domain hosting the site of a certain real gaming company. And the malicious users’ domain was resolved to the same IP address which the site of the real gaming company used. In any case, the third-level domains resolved to IP addresses assigned to the attackers’ actual C&C servers.

C&C domain naming and resolution

Sometimes the Winnti team registered their C&C units with public hosts. Judging by the samples identified, these C&C centers were subdomains of such domains as 6600.org, 8866.org, 9966.org or ddns.net.

From the names of the C&C domains or subdomains, the attack targets or countries of residence could be guessed, as in:

ru.gcgame.info

kr.zzsoft.info

jp.xxoo.co

us.nhntech.com

fs.nhntech.com

as.cjinternet.us

The subdomains “ru”, “kr”, ”jp” and “us” most probably mean that these C&C servers manage bots hosted on the computers of companies located in Russia, South Korea, Japan and the US respectively, while “fs” and “as” are acronyms for the names of the companies being attacked.

Sometimes Winnti’s malicious programs had a local IP address, such as 192.168.1.136, specified in their settings for the C&C. This could mean that at some point of time there was an infected computer that did not have a connection to the Internet, but the cybercriminals needed control over it (it may have been infected while malware was spread via a corporate network). In this case, the cybercriminals deployed a dedicated local C&C server on another compromised computer within the same local network which did have an Internet connection; via that C&C, the first victim computer could be controlled. System administrators often try to isolate critical computers from the outside world. This decreases the probability of haphazard infection, but, apparently, does not always help in a targeted attack.

In the Winnti samples that were detected and analyzed, we found 36 unique C&C domains. Most probably, this is only a small portion of all existing Winnti C&C domains, as we only managed to obtain some of the samples from this malware family. This is hardly surprising since these malicious programs are used to execute targeted attacks, so no information is available about many instances of infection; for this reason, we have no way of obtaining samples of the malware used in these undisclosed attacks.

Domain names used in the attacks we discovered:

newpic.dyndns.tv lp.zzsoft.info ru.gcgame.info

update.ddns.net lp.gasoft.us kr.jcrsoft.com

nd.jcrsoft.com eya.jcrsoft.com wm.ibm-support.net

cc.nexoncorp.us ftpd.9966.org fs.nhntech.com

kr.zzsoft.info kr.xxoo.co docs.nhnclass.com

as.cjinternet.us wi.gcgame.info rh.jcrsoft.com

ca.zzsoft.info tcp.nhntech.com wm.nhntech.com

sn.jcrsoft.com ka.jcrsoft.com wm.myxxoo.com

lp.apanku.com my.zzsoft.info ka.zzsoft.info

sshd.8866.org jp.jcrsoft.com ad.jcrsoft.com

ftpd.6600.org su.cjinternet.us my.gasoft.us

tcpiah.googleclick.net vn.gcgame.info

rss.6600.org ap.nhntech.com

Knowing the 2nd level domains used by Winnti, we brute forced through all 3rd level subdomains up to 4 symbols long, and identified those that have the IP addresses of real servers assigned to them. Having searched through subdomains for a total of 12 2nd level domains, we identified 227 “live” 3rd level domains. Many of them are C&C servers for Winnti-class malware that have hitherto remained unidentified.

Analyzing the WHOIS data for the 12 2nd level domains, we found the following list of email addresses used for registration:

evilsex@gmail.com

jslee.jcr@gmail.com

whoismydns@gmail.com

googl3@live.com

wzcc@cnkker.com

apanku2009@gmail.com

For some of these domains, registration data proved to be the same as those for the domain google.com:

Registrant: Google Inc.

1600 Amphitheatre Parkwa

Mountain Vie, California 94043

United States

+1.6503300100

Judging by the domain registration data, the Winnti team started their criminal activities at least in 2007. Their early domains were involved in spreading rogue antiviruses (FakeAV). From 2009 onwards, domains began to emerge hosting C&C servers for bots used to infect gaming companies. Apparently, the cybercriminals graduated to relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010.

Known Malware

The attackers’ favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. This incident and our investigation is described in detail here.

In addition to that, we have observed the use of a popular backdoor known as PlugX, which is believed to have Chinese origins. Previously, this had only been used in attacks against Tibetan activists.

The Commercial Interest

As has been stated above, APTs can target any commercial company if cybercriminals find a way to make a profit from the attack.

So which methods do cybercriminals use to generate illicit earnings from attacks on gaming companies?

Based on the available information, we have singled out three main monetization schemes that could be used by the Winnti team.

The unfair accumulation of in-game currency/“gold” in online games and the conversion of virtual funds into real money.

Theft of source code from the online games server to search for vulnerabilities in games – often linked to point 1.

Theft of source code from the server part of popular online games to further deploy pirate servers.

Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes. The company concerned told us that the attackers’ aim was to acquire gaming “gold” illegally.

Malicious activity like this has an adverse impact on the game itself, tilting the balance in favor of cheats. But any changes the Winnti team introduces into the game experience are unlikely to be very noticeable. After all, maintaining a skillful balance is the main attribute of online games! Users will simply stop playing if they feel that other players are using non-standard methods to create an advantage beyond normal gameplay or if the game loses its intrinsic competitiveness due to resources or artifacts appearing in the game without the developers’ knowledge. At the same time the attackers are keen for the game to remain popular; otherwise, they would be unable to effectively turn all the time and effort of infecting a gaming company into financial gain.

Members of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves.

Source of Attacks

So, who is behind Winnti? While analyzing the malicious files that we detected during our investigation we found some details which may cast some light on the source of the attacks.

As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine. This code searches for HTML, MS Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files (.txt) on the hard drive.

Debugging lines were found in ff._exe_ that possibly point to the nationality of the cybercriminals. They were not immediately noticeable because they looked like this in the editor:

However, during a detailed analysis it emerged that the text is in Chinese Simplified GBK coding. This is what these lines look in Chinese:

Below is a machine translation of this text into English:

Not identify the type of file system

Below is a translation of the text by interpreter

Open the volume failed

Failed to get the file system type

Failed to read volume

Volumes do not open or open failed

Navigate to the root directory of the error

Error memory read pointer

Memory is too small

File does not exist

Failed to get the file mft index sector

Access to file data fail

Volume and open volumes are not the same

The same volume and open volume

In addition, cybercriminals used the AheadLib program to create malicious libraries (for details, see the second part of the article). This is a program with a Chinese interface.

Chinese text was also found in one of the components of the malicious program CmdPlus.dll plug-in:

Translation: The process is complete!!

It would appear that the attackers can at least speak Chinese. However, not everything is so clear cut: because the file transfer plug-in has not been implemented entirely safely, a command which includes the attackers’ local path (where the file comes from and where it is saved to) arrives during the process of downloading/uploading files on the infected system. While monitoring the cybercriminals’ activity on the infected machine, we noticed they uploaded the certificate they found in the infected system, and the network traffic reflected the local path indicating the place where they saved the file on their computer:

These characters appear to be Korean, meaning “desktop”. This means the attackers were working on a Korean Windows operating system. Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals.

Conclusions

Our research revealed long-term oriented large scale cyberespionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, current hacking group has distinguishable features that make it stand out among others:

massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates;

usage of kernel level 64-bit signed rootkit;

abusing great variety of public Internet resources to store control commands for the malware in an encrypted form;

sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and Tibetan activists);

stealing source codes and other intellectual property of software developers in online gaming industry.

The malicious program which we call “Winnti” has evolved significantly since it first emerged; however we classify all its variants in two main generations: 1.x and 2.x.

We have published the technical description of the first generation of Winnti in a separate article .

The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF).

In addition, we discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins. This backdoor had previously been seen almost exclusively in attacks targeting Tibetan activists.

Read further

Sursa: https://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game

Campanie de spionaj cibernetic care vizeaz? companiile de jocuri online

Kaspersky Lab analizeaz? o campanie de spionaj cibernetic care vizeaz? companiile de jocuri online din întreaga lume. Organiza?ia de infrac?ionalitate cibernetic? “Winnti” compromite sistemele companiilor de jocuri, fur? proprietatea intelectual? ?i certificatele digitale pentru a le folosi în scopuri negative. Echipa de exper?i Kaspersky Lab a publicat ast?zi un raport de cercetare detaliat, care analizeaz? o campanie sus?inut? de spionaj cibernetic, condus? de o organiza?ie de infractori cibernetici, cunoscut? sub numele de “Winnti”.

Potrivit raportului Kaspersky Lab, gruparea Winnti a atacat mai multe companii din industria jocurilor online înc? din 2009, fiind activ? ?i în prezent. Obiectivele grup?rii sunt de a fura certificate digitale cu semn?turi ale furnizorilor legitimi de software ?i proprietate intelectual?, inclusiv codul surs? al proiectelor pentru noi jocuri online.

Primul incident care a atras aten?ia asupra activit??ilor r?u inten?ionate ale grup?rii Winnti a avut loc în toamna anului 2011, când un Troian a fost detectat pe un num?r mare de computere ale utilizatorilor finali din întreaga lume. Leg?tura evident? între computerele infectate era c? toate erau utilizate pentru a juca un joc online foarte popular.

La scurt timp dup? incident, au fost descoperite informa?ii conform c?rora programul malware care infectase computerele utilizatorilor provenea dintr-un update obi?nuit de pe serverul oficial al companiei de jocuri. Utilizatorii afecta?i ?i membrii comunit??ii de juc?tori online au suspectat compania de jocuri ca fiind responsabil? pentru instalarea malware-ului, cu scopul de a-?i spiona clien?ii. Îns?, ulterior s-a dovedit c? programul mali?ios a fost instalat pe computerele juc?torilor în mod accidental, infractorii cibernetici vizând, de fapt, îns??i compania de jocuri.

Ulterior, furnizorul de jocuri online, care de?inea serverele de pe care s-a r?spândit Troianul, a cerut ajutorul exper?ilor Kaspersky Lab ca s? analizeze programul mali?ios. Troianul s-a dovedit a fi o librarie (DLL) compilat? special pentru un mediu Windows de 64-bit, care folosea un driver cu o semn?tur? digital? valid?. Acesta era un instrument de administrare de la distan?? (Remote Administration Tool) complet func?ional, care le oferea atacatorilor posibilitatea de a controla computerele victimelor f?r? ca ace?tia s? î?i dea seama. Descoperirea a fost foarte important? deoarece acest Troian a fost primul program malware descoperit pentru Microsoft Windows 7 pe 64 biti, care avea o semn?tur? digital? valid?.

Exper?ii Kaspersky Lab au început s? analizeze campania grup?rii Winnti. În ultimul an au fost identificate peste 30 de companii din industria de jocuri online care au fost infectate de ace?ti infractori cibernetici, majoritatea dintre ele fiind companii dezvoltatoare de software, care produc jocuri video online în Asia de Sud-Est. Exist? îns? ?i companii de jocuri online din Germania, Statele Unite, Japonia, China, Rusia, Brazilia, Peru ?i Belarus care au fost, de asemenea, victime ale grup?rii Winnti.

Pe lâng? spionajul industrial, exper?ii Kaspersky Lab au identificat trei scheme principale de monetizare care erau folosite de gruparea Winnti pentru a ob?ine profituri ilegale:

Manipulau sumele de bani virtuali ob?inu?i în timpul jocurilor, precum “rune” sau “aur”, folosite de juc?tori, convertindu-i ulterior în bani reali.

Foloseau codul surs? furat de pe serverele jocurilor online pentru a descoperi vulnerabilit??i în jocuri. Aceste erau folosite pentru a dezvolta ?i a accelera manipularea banilor virtuali ?i acumularea lor, f?r? a fi suspecta?i.

Foloseau codul surs? furat de pe serverele jocurilor online populare pentru a lansa propriile servere pirat.

În prezent, gruparea Winnti este înc? activ?, iar cercet?rile Kaspersky Lab sunt în curs de desf??urare. Echipa de exper?i a companiei colaboreaz? cu comunitatea de securitate IT, industria de jocuri online ?i autorit??ile de certificare pentru a identifica alte servere infectate ?i retr?gând, în acela?i timp, certificatele digitale compromise.

Articolul despre cercetarea Kaspersky Lab ?i raportul complet despre campania grup?rii Winnti, incusiv analiza tehnic? în întregime a investiga?iei, sunt disponibile pe Securelist.

Produsele Kaspersky Lab detecteaz? ?i neutralizeaz? aceste programe malware ?i alte versiuni ale lor, folosite de gruparea Winnti, fiind clasificate ca Backdoor.Win32.Winnti, Backdoor.Win64.Winnti, Rootkit.Win32.Winnti ?i Rootkit.Win64.Winnti.

Harta-tarilor-afectate.jpg

Sursa : Campanie de spionaj cibernetic care vizeaz? companiile de jocuri online - Securitate IT

Posted
Winnti. More than just a game

Table of Contents

In the beginning was ...

Digital Certificates

Victims

Winnti C&Cs Structure

Known Malware

The commercial interest

Source of attacks

Conclusions

Kaspersky Lab began this ongoing research in the autumn of 2011. The subject is a series of targeted attacks against private companies around the world.

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named "Winnti".

According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry. The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors. In addition, they are very interested in how network infrastructure (including the production of gaming servers) is set up, and new developments such as conceptual ideas, design and more.

We weren't the first to focus on this group and investigate their attacks. In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary's customers – an American video game company.

In the Beginning Was …

In the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server. Some even suspected that the publisher itself was spying on players. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games.

The computer game publisher whose servers spread the Trojan asked Kaspersky Lab to analyze the malicious program that was found on its update server. It turned out to be a DLL library compiled for a 64-bit Windows environment and even had a properly signed malicious driver.

The malicious DLL landed on gamers’ computers running under either 32-bit or 64-bit operating systems. It couldn’t start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge or consent in 64-bit environments, though no such accidental launches have been detected.

The DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave cybercriminals the ability to control the victim computer without the user’s knowledge.

The malicious module turned out to be the first time we saw Trojan applications for the 64-bit version of Microsoft Windows with a valid digital signature. We had seen similar cases before, but all previous incidents where digital signatures were abused affected only 32-bit applications.

At an early stage of our research, we identified a fair number of similar backdoors, both 32-bit and 64-bit, in our collection of malware samples that were detected under various verdicts. We grouped them together into a separate family. Symantec appears to be the first to name these malicious programs; we kept Symantec’s name – Winnti – in the name of the malware family we created: Backdoor.Win32(Win64).Winnti. As for the people behind these attacks involving this remote administration tool, we ended up calling them “the Winnti group”.

Interestingly, the digital signature belonged to another video game vendor - a private company known as KOG, based in South Korea. This company’s main business was MMRPG games, exactly the same area as the first victim.

We contacted KOG, whose certificate was used to sign the malicious software, and notified Verisign, which issued the certificate for KOG. As a result the certificate was revoked.

Digital Certificates

When we discovered the first stolen digital certificate we didn't realize that stealing the certificates and signing malware for future attacks against other targets was the preferred method of this group. Over the next 18 months we discovered more than a dozen similar compromised digital certificates.

Moreover, we found that those digital certificates seemed to have been used in attacks organized by other hacking groups, presumably coming from China.

For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate of from the gaming company YNK Japan Inc.

A digital certificate of the same company was used recently (March 2013) in Trojans deployed against Tibetan and Uyghur activists. In fact, this story dates back to 2011. We highly recommend this Norman blogpost about a similar incident.

At the same time, in March 2013, Uyghur activists were targeted by other malware, which was digitally signed by another gaming company called MGAME Corp.

We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China.

Below is the list of known compromised companies and digital certificates used by the Winnti group in different campaigns:

Company Serial number Country

ESTsoft Corp 30 d3 fe 26 59 1d 8e ac 8c 30 66 7a c4 99 9b d7 South Korea

Kog Co., Ltd. 66 e3 f0 b4 45 9f 15 ac 7f 2a 2b 44 99 0d d7 09 South Korea

LivePlex Corp 1c aa 0d 0d ad f3 2a 24 04 a7 51 95 ae 47 82 0a South Korea/ Philippines

MGAME Corp 4e eb 08 05 55 f1 ab f7 09 bb a9 ca e3 2f 13 cd South Korea

Rosso Index KK 01 00 00 00 00 01 29 7d ba 69 dd Japan

Sesisoft 61 3e 2f a1 4e 32 3c 69 ee 3e 72 0c 27 af e4 ce South Korea

Wemade 61 00 39 d6 34 9e e5 31 e4 ca a3 a6 5d 10 0c 7d Japan/South Korea/US

YNK Japan 67 24 34 0d db c7 25 2f 7f b7 14 b8 12 a5 c0 4d Japan

Guangzhou YuanLuo 0b 72 79 06 8b eb 15 ff e8 06 0d 2c 56 15 3c 35 China

Fantasy Technology Corp 75 82 f3 34 85 aa 26 4d e0 3b 2b df 74 e0 bf 32 China

Neowiz 5c 2f 97 a3 1a bc 32 b0 8c ac 01 00 59 8f 32 f6 South Korea

Victims

It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.

It’s difficult to name all the victims of the Winnti team. Judging by the information that we have at our disposal – namely the tags within malicious programs, the names of the C&C domains, the companies whose digital certificates were stolen to sign malware, and the countries where detection notifications came from – we can say that at least 35 companies have been infected by Winnti malware at some time.

Countries where the affected companies are located:

Asia Europa South America North America

Vietnam Belarus Brazil USA

India Germany Peru

Indonesia Russia

China

Taiwan

Thailand

Phillipines

S. Korea

Japan

This data demonstrates that the Winnti team is targeting gaming companies located in various parts of the world, albeit with a strong focus on SE Asia.

Countries where gaming companies have been affected

Such geographic diversity is hardly surprising. Often, gaming companies (both publishers and developers) are international, having representatives and offices worldwide. Also, it is common practice for gaming companies from various regions to cooperate. The developers of a game may be located in a different country from its publisher. When a game later reaches markets in regions away from its initial ‘home’, it is often localized and published by other publishers. In the course of this cooperation, the partner companies often grant each other access to network resources to exchange data associated with the gaming content, including distribution kits, gaming resources, resource assembly kits, etc. If one company in the network gets infected, it’s easy for the cybercriminals to spread the infection throughout the partnership chain.

Winnti C&Cs Structure

During the investigation, we identified over a hundred malicious programs, every single one compiled to attack a particular company. Typically, separate C&C domains were assigned to each targeted company. Virtually all the C&C domains were arranged as follows: a second-level domain was created without a DNS A-record, i.e., there was no IP address assigned to it.

In case there was an A-record, the assigned IP address was typically 127.0.0.1. It is also noteworthy that some of the second-level domains that the cybercriminals created for their C&C had very similar names to the domain hosting the site of a certain real gaming company. And the malicious users’ domain was resolved to the same IP address which the site of the real gaming company used. In any case, the third-level domains resolved to IP addresses assigned to the attackers’ actual C&C servers.

C&C domain naming and resolution

Sometimes the Winnti team registered their C&C units with public hosts. Judging by the samples identified, these C&C centers were subdomains of such domains as 6600.org, 8866.org, 9966.org or ddns.net.

From the names of the C&C domains or subdomains, the attack targets or countries of residence could be guessed, as in:

ru.gcgame.info

kr.zzsoft.info

jp.xxoo.co

us.nhntech.com

fs.nhntech.com

as.cjinternet.us

The subdomains “ru”, “kr”, ”jp” and “us” most probably mean that these C&C servers manage bots hosted on the computers of companies located in Russia, South Korea, Japan and the US respectively, while “fs” and “as” are acronyms for the names of the companies being attacked.

Sometimes Winnti’s malicious programs had a local IP address, such as 192.168.1.136, specified in their settings for the C&C. This could mean that at some point of time there was an infected computer that did not have a connection to the Internet, but the cybercriminals needed control over it (it may have been infected while malware was spread via a corporate network). In this case, the cybercriminals deployed a dedicated local C&C server on another compromised computer within the same local network which did have an Internet connection; via that C&C, the first victim computer could be controlled. System administrators often try to isolate critical computers from the outside world. This decreases the probability of haphazard infection, but, apparently, does not always help in a targeted attack.

In the Winnti samples that were detected and analyzed, we found 36 unique C&C domains. Most probably, this is only a small portion of all existing Winnti C&C domains, as we only managed to obtain some of the samples from this malware family. This is hardly surprising since these malicious programs are used to execute targeted attacks, so no information is available about many instances of infection; for this reason, we have no way of obtaining samples of the malware used in these undisclosed attacks.

Domain names used in the attacks we discovered:

newpic.dyndns.tv lp.zzsoft.info ru.gcgame.info

update.ddns.net lp.gasoft.us kr.jcrsoft.com

nd.jcrsoft.com eya.jcrsoft.com wm.ibm-support.net

cc.nexoncorp.us ftpd.9966.org fs.nhntech.com

kr.zzsoft.info kr.xxoo.co docs.nhnclass.com

as.cjinternet.us wi.gcgame.info rh.jcrsoft.com

ca.zzsoft.info tcp.nhntech.com wm.nhntech.com

sn.jcrsoft.com ka.jcrsoft.com wm.myxxoo.com

lp.apanku.com my.zzsoft.info ka.zzsoft.info

sshd.8866.org jp.jcrsoft.com ad.jcrsoft.com

ftpd.6600.org su.cjinternet.us my.gasoft.us

tcpiah.googleclick.net vn.gcgame.info

rss.6600.org ap.nhntech.com

Knowing the 2nd level domains used by Winnti, we brute forced through all 3rd level subdomains up to 4 symbols long, and identified those that have the IP addresses of real servers assigned to them. Having searched through subdomains for a total of 12 2nd level domains, we identified 227 “live” 3rd level domains. Many of them are C&C servers for Winnti-class malware that have hitherto remained unidentified.

Analyzing the WHOIS data for the 12 2nd level domains, we found the following list of email addresses used for registration:

evilsex@gmail.com

jslee.jcr@gmail.com

whoismydns@gmail.com

googl3@live.com

wzcc@cnkker.com

apanku2009@gmail.com

For some of these domains, registration data proved to be the same as those for the domain google.com:

Registrant: Google Inc.

1600 Amphitheatre Parkwa

Mountain Vie, California 94043

United States

+1.6503300100

Judging by the domain registration data, the Winnti team started their criminal activities at least in 2007. Their early domains were involved in spreading rogue antiviruses (FakeAV). From 2009 onwards, domains began to emerge hosting C&C servers for bots used to infect gaming companies. Apparently, the cybercriminals graduated to relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010.

Known Malware

The attackers’ favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.

In our report we publish an analysis of the first generation of Winnti.

The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. This incident and our investigation is described in detail here.

In addition to that, we have observed the use of a popular backdoor known as PlugX, which is believed to have Chinese origins. Previously, this had only been used in attacks against Tibetan activists.

The Commercial Interest

As has been stated above, APTs can target any commercial company if cybercriminals find a way to make a profit from the attack.

So which methods do cybercriminals use to generate illicit earnings from attacks on gaming companies?

Based on the available information, we have singled out three main monetization schemes that could be used by the Winnti team.

The unfair accumulation of in-game currency/“gold” in online games and the conversion of virtual funds into real money.

Theft of source code from the online games server to search for vulnerabilities in games – often linked to point 1.

Theft of source code from the server part of popular online games to further deploy pirate servers.

Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes. The company concerned told us that the attackers’ aim was to acquire gaming “gold” illegally.

Malicious activity like this has an adverse impact on the game itself, tilting the balance in favor of cheats. But any changes the Winnti team introduces into the game experience are unlikely to be very noticeable. After all, maintaining a skillful balance is the main attribute of online games! Users will simply stop playing if they feel that other players are using non-standard methods to create an advantage beyond normal gameplay or if the game loses its intrinsic competitiveness due to resources or artifacts appearing in the game without the developers’ knowledge. At the same time the attackers are keen for the game to remain popular; otherwise, they would be unable to effectively turn all the time and effort of infecting a gaming company into financial gain.

Members of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves.

Source of Attacks

So, who is behind Winnti? While analyzing the malicious files that we detected during our investigation we found some details which may cast some light on the source of the attacks.

As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine. This code searches for HTML, MS Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files (.txt) on the hard drive.

Debugging lines were found in ff._exe_ that possibly point to the nationality of the cybercriminals. They were not immediately noticeable because they looked like this in the editor:

However, during a detailed analysis it emerged that the text is in Chinese Simplified GBK coding. This is what these lines look in Chinese:

Below is a machine translation of this text into English:

Not identify the type of file system

Below is a translation of the text by interpreter

Open the volume failed

Failed to get the file system type

Failed to read volume

Volumes do not open or open failed

Navigate to the root directory of the error

Error memory read pointer

Memory is too small

File does not exist

Failed to get the file mft index sector

Access to file data fail

Volume and open volumes are not the same

The same volume and open volume

In addition, cybercriminals used the AheadLib program to create malicious libraries (for details, see the second part of the article). This is a program with a Chinese interface.

Chinese text was also found in one of the components of the malicious program CmdPlus.dll plug-in:

Translation: The process is complete!!

It would appear that the attackers can at least speak Chinese. However, not everything is so clear cut: because the file transfer plug-in has not been implemented entirely safely, a command which includes the attackers’ local path (where the file comes from and where it is saved to) arrives during the process of downloading/uploading files on the infected system. While monitoring the cybercriminals’ activity on the infected machine, we noticed they uploaded the certificate they found in the infected system, and the network traffic reflected the local path indicating the place where they saved the file on their computer:

These characters appear to be Korean, meaning “desktop”. This means the attackers were working on a Korean Windows operating system. Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals.

Conclusions

Our research revealed long-term oriented large scale cyberespionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, current hacking group has distinguishable features that make it stand out among others:

massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates;

usage of kernel level 64-bit signed rootkit;

abusing great variety of public Internet resources to store control commands for the malware in an encrypted form;

sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and Tibetan activists);

stealing source codes and other intellectual property of software developers in online gaming industry.

The malicious program which we call “Winnti” has evolved significantly since it first emerged; however we classify all its variants in two main generations: 1.x and 2.x.

We have published the technical description of the first generation of Winnti in a separate article .

The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF).

In addition, we discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins. This backdoor had previously been seen almost exclusively in attacks targeting Tibetan activists.

Read further

Sursa: https://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game

Campanie de spionaj cibernetic care vizeaz? companiile de jocuri online

Kaspersky Lab analizeaz? o campanie de spionaj cibernetic care vizeaz? companiile de jocuri online din întreaga lume. Organiza?ia de infrac?ionalitate cibernetic? “Winnti” compromite sistemele companiilor de jocuri, fur? proprietatea intelectual? ?i certificatele digitale pentru a le folosi în scopuri negative. Echipa de exper?i Kaspersky Lab a publicat ast?zi un raport de cercetare detaliat, care analizeaz? o campanie sus?inut? de spionaj cibernetic, condus? de o organiza?ie de infractori cibernetici, cunoscut? sub numele de “Winnti”.

Potrivit raportului Kaspersky Lab, gruparea Winnti a atacat mai multe companii din industria jocurilor online înc? din 2009, fiind activ? ?i în prezent. Obiectivele grup?rii sunt de a fura certificate digitale cu semn?turi ale furnizorilor legitimi de software ?i proprietate intelectual?, inclusiv codul surs? al proiectelor pentru noi jocuri online.

Primul incident care a atras aten?ia asupra activit??ilor r?u inten?ionate ale grup?rii Winnti a avut loc în toamna anului 2011, când un Troian a fost detectat pe un num?r mare de computere ale utilizatorilor finali din întreaga lume. Leg?tura evident? între computerele infectate era c? toate erau utilizate pentru a juca un joc online foarte popular.

La scurt timp dup? incident, au fost descoperite informa?ii conform c?rora programul malware care infectase computerele utilizatorilor provenea dintr-un update obi?nuit de pe serverul oficial al companiei de jocuri. Utilizatorii afecta?i ?i membrii comunit??ii de juc?tori online au suspectat compania de jocuri ca fiind responsabil? pentru instalarea malware-ului, cu scopul de a-?i spiona clien?ii. Îns?, ulterior s-a dovedit c? programul mali?ios a fost instalat pe computerele juc?torilor în mod accidental, infractorii cibernetici vizând, de fapt, îns??i compania de jocuri.

Ulterior, furnizorul de jocuri online, care de?inea serverele de pe care s-a r?spândit Troianul, a cerut ajutorul exper?ilor Kaspersky Lab ca s? analizeze programul mali?ios. Troianul s-a dovedit a fi o librarie (DLL) compilat? special pentru un mediu Windows de 64-bit, care folosea un driver cu o semn?tur? digital? valid?. Acesta era un instrument de administrare de la distan?? (Remote Administration Tool) complet func?ional, care le oferea atacatorilor posibilitatea de a controla computerele victimelor f?r? ca ace?tia s? î?i dea seama. Descoperirea a fost foarte important? deoarece acest Troian a fost primul program malware descoperit pentru Microsoft Windows 7 pe 64 biti, care avea o semn?tur? digital? valid?.

Exper?ii Kaspersky Lab au început s? analizeze campania grup?rii Winnti. În ultimul an au fost identificate peste 30 de companii din industria de jocuri online care au fost infectate de ace?ti infractori cibernetici, majoritatea dintre ele fiind companii dezvoltatoare de software, care produc jocuri video online în Asia de Sud-Est. Exist? îns? ?i companii de jocuri online din Germania, Statele Unite, Japonia, China, Rusia, Brazilia, Peru ?i Belarus care au fost, de asemenea, victime ale grup?rii Winnti.

Pe lâng? spionajul industrial, exper?ii Kaspersky Lab au identificat trei scheme principale de monetizare care erau folosite de gruparea Winnti pentru a ob?ine profituri ilegale:

Manipulau sumele de bani virtuali ob?inu?i în timpul jocurilor, precum “rune” sau “aur”, folosite de juc?tori, convertindu-i ulterior în bani reali.

Foloseau codul surs? furat de pe serverele jocurilor online pentru a descoperi vulnerabilit??i în jocuri. Aceste erau folosite pentru a dezvolta ?i a accelera manipularea banilor virtuali ?i acumularea lor, f?r? a fi suspecta?i.

Foloseau codul surs? furat de pe serverele jocurilor online populare pentru a lansa propriile servere pirat.

În prezent, gruparea Winnti este înc? activ?, iar cercet?rile Kaspersky Lab sunt în curs de desf??urare. Echipa de exper?i a companiei colaboreaz? cu comunitatea de securitate IT, industria de jocuri online ?i autorit??ile de certificare pentru a identifica alte servere infectate ?i retr?gând, în acela?i timp, certificatele digitale compromise.

Articolul despre cercetarea Kaspersky Lab ?i raportul complet despre campania grup?rii Winnti, incusiv analiza tehnic? în întregime a investiga?iei, sunt disponibile pe Securelist.

Produsele Kaspersky Lab detecteaz? ?i neutralizeaz? aceste programe malware ?i alte versiuni ale lor, folosite de gruparea Winnti, fiind clasificate ca Backdoor.Win32.Winnti, Backdoor.Win64.Winnti, Rootkit.Win32.Winnti ?i Rootkit.Win64.Winnti.

Harta-tarilor-afectate.jpg

Sursa : Campanie de spionaj cibernetic care vizeaz? companiile de jocuri online - Securitate IT

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...