Winnti: an attack on supply chains - Asian game developers are at the forefront
This is not the first time that attackers have attacked the gaming industry, compromised developers, added backdoors to the game’s build environment, and then distributed malware under the guise of a legitimate one. In April 2013, Kaspersky Lab reported a similar incident. This attack is attributed to a cybergroup called Winnti.
Recently, ESET experts have been attracted by new attacks on supply chains. Two games and one gaming platform were compromised to introduce a backdoor. These attacks target Asia and the gaming industry, with Winnti again behind them.
Despite the different malware configurations, the three compromised software products included the same backdoor code and started using the same mechanism. Now there are no backdoors in two products, but one is still distributed in a trojanized version - ironically, this game is called Infestation, which is released by the Thai company Extreme Extreme. We have been trying to contact the developer since the beginning of February, but so far to no avail.
We will analyze how the malicious payload is introduced, and then consider the backdoor in detail.
The payload code runs during the execution of the trojanized executable. Immediately after the PE entry point, the standard C Runtime initialization call (
Figure 1. Net entry point to an executable file
. 2. Entry point of a compromised executable file.
The code added to the executable decrypts and launches the backdoor in RAM before resuming normal execution of the C Runtime initialization code and subsequent host application code. The built-in payload has a special structure, shown in the figure below, which is interpreted by the added decompression code.
Figure 3. Built-in payload structure. It
contains the RC4 key (encrypted XOR with 0x37), which is used to decrypt the file name and embedded DLL file.
The actual malicious payload contains only 17 KB of code and data.
The configuration data shown in the figure below is a list of lines separated by spaces.
Figure 4. Payload configuration data The configuration
consists of four fields:
We identified five versions of the payload:
In the first three options, the code was not recompiled, but the configuration data was edited in the DLL file itself. The rest of the content is a byte copy.
Domain names are chosen in such a way as to resemble the sites of developers of compromised applications. The top-level domain is configured to redirect to the corresponding legitimate site using the Namecheap service, while the subdomain indicates a malicious C&C server.
At the time of this writing, none of the domains is available, C & C-servers are not responding.
The bot ID is generated from the MAC address of the machine. The backdoor transmits machine information to the C&C server, including username, computer name, Windows version and system language, and then waits for a command. Data is encrypted with XOR using the “
A simple backdoor supports only four teams that can be used by attackers:
-
-
-
-
The names of the teams speak for themselves. They allow attackers to run additional executables from a given URL.
Perhaps the last command is less obvious.
After starting the payload, the value from the registry is requested and, if specified, execution is canceled. Perhaps the attackers are trying to reduce the load on their C&C servers by avoiding callbacks from victims of no interest.
According to telemetry, one of the second-stage payloads sent to victims is Win64 / Winnti.BN. As far as we can tell, the dropper of this malware is downloaded via HTTPs
- cscsrv.dll
- dwmsvc.dll
- iassrv.dll
- mprsvc.dll
- nlasrv.dll
- powfsvc.dll
- racsvc.dll
- slcsvc. dll
- snmpsvc.dll
- sspisvc.dll
The samples we analyzed were large enough - about 60 MB. However, this is only visibility, since the actual size or PE file is from 63 to 72 KB, depending on the version. A lot of clean ones are simply added to malicious files. This is likely to be done by a component that resets and installs a malicious service.
After starting the service, it adds the extension to its DLL path
Recent malware versions include an auto-update mechanism using a C&C server
Let's start with those who the campaign is not specifically targeted at. At the beginning of the payload, the malware checks whether the system language is Russian or Chinese (see the figure below). If the answer is yes, the program stops working. It is impossible to get around this exception - attackers are not fundamentally interested in computers with these language settings.
Figure 5. Checking the language before launching the payload
According to telemetry, most infections occurred in Asia, especially Thailand. Given the popularity of the compromised application, which is still being distributed by the developer, it is not surprising if the number of victims amounts to tens and hundreds of thousands.
Supply chain attacks are hard to detect on the user side. It is impossible to analyze all running software, as well as all recommended updates. By default, the user trusts the developers and assumes that their files do not contain malicious code. This is probably why several cybergroups are targeting attacks on software vendors - compromising will allow creating a botnet, the size of which is comparable to the popularity of trojanized software. This tactic has a downside - when the scheme is revealed, attackers will lose control of the botnet, and users will be able to clean the system by installing the next update.
The motives of the Winnti cybergroup are currently unknown. Perhaps the attackers are looking for financial gain or are planning to use the botnet as part of a larger operation.
ESET products detect the threat as Win32 / HackedApp.Winnti.A, Win32 / HackedApp.Winnti.B, the payload as Win32 / Winnti.AG, the second stage as Win64 / Winnti.BN.
Indicators of compromise are available here .
Recently, ESET experts have been attracted by new attacks on supply chains. Two games and one gaming platform were compromised to introduce a backdoor. These attacks target Asia and the gaming industry, with Winnti again behind them.
Three cases, one backdoor
Despite the different malware configurations, the three compromised software products included the same backdoor code and started using the same mechanism. Now there are no backdoors in two products, but one is still distributed in a trojanized version - ironically, this game is called Infestation, which is released by the Thai company Extreme Extreme. We have been trying to contact the developer since the beginning of February, but so far to no avail.
We will analyze how the malicious payload is introduced, and then consider the backdoor in detail.
Payload Implementation
The payload code runs during the execution of the trojanized executable. Immediately after the PE entry point, the standard C Runtime initialization call (
__scrt_common_main_seh
in the figure below) is intercepted to launch the malicious payload before anything else (Figure 2). This may indicate that the attackers changed the assembly configuration, and not the source code itself. Figure 1. Net entry point to an executable file
. 2. Entry point of a compromised executable file.
The code added to the executable decrypts and launches the backdoor in RAM before resuming normal execution of the C Runtime initialization code and subsequent host application code. The built-in payload has a special structure, shown in the figure below, which is interpreted by the added decompression code.
Figure 3. Built-in payload structure. It
contains the RC4 key (encrypted XOR with 0x37), which is used to decrypt the file name and embedded DLL file.
Malicious Payload
The actual malicious payload contains only 17 KB of code and data.
Configuration
The configuration data shown in the figure below is a list of lines separated by spaces.
Figure 4. Payload configuration data The configuration
consists of four fields:
- URL of the managing C & C server.
- The variable (t) used to determine the timeout in milliseconds before continuing. The waiting time is selected in the range from 2/3 to 5/3 t randomly.
- Line identifying the campaign.
- A list of executable file names, separated by a semicolon. If any of them works, the backdoor stops its execution.
We identified five versions of the payload:
In the first three options, the code was not recompiled, but the configuration data was edited in the DLL file itself. The rest of the content is a byte copy.
C&C Infrastructure
Domain names are chosen in such a way as to resemble the sites of developers of compromised applications. The top-level domain is configured to redirect to the corresponding legitimate site using the Namecheap service, while the subdomain indicates a malicious C&C server.
At the time of this writing, none of the domains is available, C & C-servers are not responding.
Study report
The bot ID is generated from the MAC address of the machine. The backdoor transmits machine information to the C&C server, including username, computer name, Windows version and system language, and then waits for a command. Data is encrypted with XOR using the “
*&b0i0rong2Y7un1
” key and base64 encoded. Data received from the C&C server is encrypted using the same key.Teams
A simple backdoor supports only four teams that can be used by attackers:
-
DownUrlFile
-
DownRunUrlFile
-
RunUrlBinInMem
-
UnInstall
The names of the teams speak for themselves. They allow attackers to run additional executables from a given URL.
Perhaps the last command is less obvious.
UnInstall
does not remove malware from the system. In the end, it is embedded in a legitimate executable file that will still run. Instead of deleting something, the command disables the malicious code by setting the value to 1 for the registry key:HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ImageFlag
After starting the payload, the value from the registry is requested and, if specified, execution is canceled. Perhaps the attackers are trying to reduce the load on their C&C servers by avoiding callbacks from victims of no interest.
Second phase
According to telemetry, one of the second-stage payloads sent to victims is Win64 / Winnti.BN. As far as we can tell, the dropper of this malware is downloaded via HTTPs
api.goallbandungtravel[.]com
. We saw that it was installed as a Windows service and as a DLL in C:\Windows\System32
, using the following file names: - cscsrv.dll
- dwmsvc.dll
- iassrv.dll
- mprsvc.dll
- nlasrv.dll
- powfsvc.dll
- racsvc.dll
- slcsvc. dll
- snmpsvc.dll
- sspisvc.dll
The samples we analyzed were large enough - about 60 MB. However, this is only visibility, since the actual size or PE file is from 63 to 72 KB, depending on the version. A lot of clean ones are simply added to malicious files. This is likely to be done by a component that resets and installs a malicious service.
After starting the service, it adds the extension to its DLL path
.mui
and decrypts it using RC5. The decrypted MUI file contains position-independent code with an offset of 0. The RC5 key is obtained from the serial number of the hard disk and the line “ f@Ukd!rCto R$.
”. We could not get either the MUI files or the code that installs them first. Thus, the exact purpose of the malicious service is unknown to us.Recent malware versions include an auto-update mechanism using a C&C server
http://checkin.travelsanignacio[.]com
. This server served the latest version of the MUI files encrypted with the RC5 static key. In the course of our research, this C&C server did not respond.Goals
Let's start with those who the campaign is not specifically targeted at. At the beginning of the payload, the malware checks whether the system language is Russian or Chinese (see the figure below). If the answer is yes, the program stops working. It is impossible to get around this exception - attackers are not fundamentally interested in computers with these language settings.
Figure 5. Checking the language before launching the payload
Distribution statistics
According to telemetry, most infections occurred in Asia, especially Thailand. Given the popularity of the compromised application, which is still being distributed by the developer, it is not surprising if the number of victims amounts to tens and hundreds of thousands.
Conclusion
Supply chain attacks are hard to detect on the user side. It is impossible to analyze all running software, as well as all recommended updates. By default, the user trusts the developers and assumes that their files do not contain malicious code. This is probably why several cybergroups are targeting attacks on software vendors - compromising will allow creating a botnet, the size of which is comparable to the popularity of trojanized software. This tactic has a downside - when the scheme is revealed, attackers will lose control of the botnet, and users will be able to clean the system by installing the next update.
The motives of the Winnti cybergroup are currently unknown. Perhaps the attackers are looking for financial gain or are planning to use the botnet as part of a larger operation.
ESET products detect the threat as Win32 / HackedApp.Winnti.A, Win32 / HackedApp.Winnti.B, the payload as Win32 / Winnti.AG, the second stage as Win64 / Winnti.BN.
Indicators of compromise are available here .