South Korean video gaming company Gravity is the latest victim of the China-linked threat actor tracked as the Winnti Group, security researchers say.
Active since at least 2009 and operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, the threat group is known for the targeting of organizations in the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.
Over the past half year, the adversary was observed employing various new backdoors in attacks, including PortReuse and the Microsoft SQL-targeting skip-2.0, along with a new variant of the ShadowPad backdoor.
In a report released earlier this month, BlackBerry security researchers revealed that the Winnti Group, along with other China-linked cyber-espionage groups — this includes PASSCV, BRONZE UNION (EMISSARY PANDA), CASPER (LEAD), and WLNXSPLINTER — have been systematically targeting Linux servers for years.
This week, QuoIntelligence (QuoINT) published a report claiming that the Winnti hackers have targeted South Korean video gaming company Gravity, which is best known for the massive multiplayer online role-playing game (MMORPG) Ragnarok Online.
A sample resembling a Winnti dropper previously described by ESET was submitted to a public online malware scanning service, and analysis of the binary revealed the potential targeting, QuoINT’s security researchers say.
“[W]e were able to extract the malware’s configuration file and identify the intended target. […] Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company,” QuoINT says.
Previous reporting on the Winnti hackers also revealed a command and control (C&C) server associated with the campaign identifier GRA KR 0629, which might be related to the recently identified attack, although no further evidence to support the link has been discovered.
QuoINT also discovered that the Winnti Group targeted a chemicals company in Germany earlier this year, with a malware sample apparently built in 2015. The same as the sample purportedly aimed at Gravity, this malware variant had the target’s name embedded in the code.
The attack on the German company involved the use of a binary to bypass driver verification and install the attackers’ drivers, a vulnerable VirtualBox driver, and rootkit drivers. The attackers relied on DNS tunneling for C&C communication.
“The Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack operations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits. While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources,” QuoINT concludes.