Kaspersky Lab Analyzes Active Cyberespionage Campaign
Kaspersky Lab Analyzes Active Cyberespionage Campaign Targeting Online Gaming CompaniesWorldwide
Today Kaspersky Lab’s team ofexperts published a detailed research report that analyzes a sustainedcyberespionage campaign conducted by the cybercriminal organization known as“Winnti.” According to Kaspersky Lab’sreport, the Winnti group has been attacking companies in the online gamingindustry since 2009 and is currently still active. The group’s objectives arestealing digital certificates signed by legitimate software vendors in additionto intellectual property theft, including the source code of online gameprojects. The first incident that drewattention to the Winnti group’s malicious activities occurred in the autumn of2011, when a malicious Trojan was detected on a large number of end-usercomputers across the globe. The clear link between all of the infectedcomputers is that that they were used to play a popular online game. Shortlyafter the incident, details emerged that the malicious program which hadinfected the users’ computers was part of a regular updatefrom thegamingcompany’s officialserver.Infected usersandmembers ofthe gaming community suspectedthe computer game publisher was installing the malware to spyon itscustomers.However, itlaterbecame clearthatthe maliciousprogramwas installed on the players’ computers byaccident, and that the cybercriminals were actually targeting the computer gamecompany itself. In response, the computer gamepublisher that owned the servers which spread the Trojan to its users askedKaspersky Lab to analyze the malicious program. The Trojan turned out to be aDLL library compiled for a 64-bit Windows environment and used a properlysigned malicious drive. It was a fully functionally Remote Administration Tool(RAT), which gives attackerstheability tocontrola victim’scomputerwithout theuser’sknowledge. Th e fi n d i n gw a s s i g n i fi c a n ta sth i s T ro j a nw a sth e fi rs tm a l i c i o u sp ro g ra m o na64 - bi t v e r s i o n o f M i cr o s o f t W i nd o w s 7 t ha t ha d a v a l i d d i g i t a l s i g na t u re . Kaspersky Lab’s experts begananalyzing the Winnti group’s campaign and found that more than 30 companies inthe online gaming industry had been infected by the Winnti group, with themajority being software development companies producing online video games inSouth East Asia. However, online gaming companies located in Germany, theUnited States, Japan, China, Russia, Brazil, Peru, and Belarus were alsoidentified as victims of the Winnti group. In addition to industrialespionage, Kaspersky Lab’s experts have identified three main monetizationschemes that could be used by the Winnti group to generate an illegal profit: • Manipulatethe accumulation of in-game currency, such as “runes” or “gold” that’s used byplayers and convert the accumulated virtual money into real money;• Usethe stolen source code from online game servers to search forvulnerabilitiesinside games toaugment and acceleratethe manipulation ofin-game currency andits accumulation without suspicion;• Usethe stolen source code from servers of popular online games in order to deploytheirown pirated servers. Currently the Winnti group isstill active and Kaspersky Lab’s investigation is ongoing. The company’steam ofexpertshas beendiligentlyworking withtheIT securitycommunity, onlinegaming industryandcertificate authoritiestoidentify additionalinfectedservers while assisting with the revocationof stolen digital certificates. Toread KasperskyLab’sresearch postandthe fullreportabout theWinntigroup’s campaign, including a complete technical analysis of the investigation, please visitSecurelist. KasperskyLab’s productsdetect and neutralizethe malicious programsand its variantsused by the Winnti group, classified asBa c k d o o r . W i n 32. W i n n ti , Ba c k d o o r . W i n 64. W i n n t i , R o o t k i t . W i n 32. W i n nt i a n d R o o t k i t . W i n 64. W i n nt i .
Pages:
[1]