• About
  • Advertise
  • Careers
  • Contact
Friday, March 24, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

China-linked Winnti APT targets South Korean Gaming firm

by Cyber360 News
April 22, 2020
in Security
0
China-linked Winnti APT targets South Korean Gaming firm
0
SHARES
4
VIEWS
Share on FacebookShare on Twitter

China-linked Winnti cyberespionage group targets South Korean video gaming company Gravity, QuoIntelligence (QuoINT) firm reported.

Security experts from QuoIntelligence (QuoINT) firm reported that China-linked Winnti cyberespionage group targets South Korean video gaming company Gravity.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

Now Winnti cyberspies have targeted South Korean video gaming company Gravity, which is known for the development of the popular multiplayer online role-playing game (MMORPG) Ragnarok Online.

“Based on previous knowledge and targeting of the Winnti Group, we assess that this sample was likely used to target Gravity Co., Ltd., a South Korean video game company.” reads the report published by QuoIntelligence. “The company is known for its Massive Multiplayer Online Role Playing Game (MMORPG) Ragnarok Online, which is also offered as a mobile application. As we have also reported in the past, the video game industry is one of the preferred targets of the Winnti Group, especially for those companies operating in South Korea and Taiwan.”

The malware sample employed in the attack resembled a Winnti dropper previously analyzed by ESET researcher that was submitted to a public online malware scanning service. The analysis of the configuration file of malware allowed the identification of the intended target.

ESET researchers reported multiple Winnti Group campaigns targeting the gaming industry, one of the C2 servers involved in a campaign tracked as ID GRA KR 0629 was also involved in the attack uncovered by QuoINT.

Anyway the report published by QuoINT doesn’t include further evidence to support the link between the two campaigns.

QuoINT also reported another attack carried out by the Winnti Group against a chemical company in Germany in January 2020.

The piece of malware employed in the attack was developed in 2015, it was the same used in the attack against Gravity that had the target’s name embedded in the code.

“Although the malware was likely used years ago, further analysis revealed a previously unreported C2 technique never attributed to any Winnti Group’s toolkits.” continues the report.

“The technique relies on a DNS Tunneling communication channel through a custom implementation of the iodine source code, an open-source software that enables the tunneling of IPv4 data through a DNS server. Additionally, we uncovered a previously unknown stolen digital certificate being used to digitally sign Winnti-related attack components, and the targeting of a previously-unreported South Korean video game company.”

In the attack on the German company, the malware run the dsefix.exe executable to bypass driver verification and install its own drivers. a vulnerable VirtualBox driver, and rootkit drivers. Experts pointed out that this technique doesn’t work on modern Windows (e.g. Windows 10), a circumstance that suggests that the malicious code was developed and used several years ago. Experts also highlighted the use of DNS tunneling for C2 communication.

“The Winnti Group has exhibited their ability to breach different organizations and conduct sophisticated attack operations, typically motivated by espionage and financial gain, with various TTPs and malware toolkits.” QuoINT concludes. “While attribution is not concrete due to the complexity of the group, there are links that can be drawn between operations which suggest the threat actors purporting the attacks are likely operating within the Winnti Group, or at least sharing resources,”

Pierluigi Paganini

(SecurityAffairs – Winnti, hacking)



Share On


Cyber360 News

Cyber360 News

Next Post
Kinomap did not respond to researchers whatsoever and left the database exposed to public access.

Kinomap did not respond to researchers whatsoever and left the database exposed to public access.

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In