PipeMon

The Winnti Group is an organization of cyber crooks that have been operating for nearly a decade. The first traces of the Winnti Group activity was spotted in 2011. This hacking group also is known as APT41 (Advanced Persistent Threat). The Winnti Group tends to target companies that are involved in game and software development. Usually, the Winnti Group misappropriates genuine software and weaponizes it for its threatening campaigns. One of the most popular hacking tools in their arsenal is called the Winnti backdoor, which is where the name of the group is derived from.

PipeMon Main Objective

One of the most recent campaigns of the Winnti Group targeted video game development companies located in South Korea and Taiwan. The companies in question are involved in the development of MMO (Massive Multiplayer Online) games, which are rather popular and have users in the hundreds of thousands. In this operation, the Winnti Group has used a new hacking tool called PipeMon. This new piece of malware is a Trojan backdoor, which allows the attackers to take over a targeted system and perform a wide variety of actions. Furthermore, the PipeMon Trojan backdoor is capable of lateral spreading through the network of the compromised system.

The Winnti Group has used the PipeMon Trojan for different purposes. The PipeMon threat allowed its operators to infect a server that belongs to their target and then alter the in-game economy of the game – this includes currency, item prices, deals, etc. Experts speculate that this could be used to generate large amounts of in-game currency, which the attackers can exchange for real money. In an even more cunning operation, the Winnti Group managed to carry out a supply-chain attack by infiltrating a server, which is used for building executable for various updates. This may allow the attackers to plant corrupted code in the update executables.

What are the Consequences of a PipeMon Attack

To obtain persistence on the compromised host, the PipeMon Trojan will inject its corrupted code as a ‘Print Processor.’ This means that whenever the victim starts the ‘Print Spool’ service, it will launch the PipeMon threat as well. When the PipeMon malware compromises a targeted system successfully, it will connect to the attackers’ C&C (Command & Control) server and await instructions. The PipeMon Trojan is able to:

• List files and folders present on the system.
• Collect information and credentials regarding the RDP (Remote Desk Protocol).
• Collect data about the system’s software and hardware.
• Execute remote commands.

The Winnti Group is a very persistent organization, and we are likely to continue seeing their campaigns in the future. It is likely that the Winnti Group will continue deploying the PipeMon backdoor Trojan in their threatening operations.