New PipeMon malware uses Windows Print Processors to persist.

Video game companies have once again fallen victim to the hacker group Winnti, which used new malware identified by PipeMon researchers and a new method of persistence.

PipeMon is a modular backdoor that was identified earlier this year on the servers of several massively multiplayer online (MMO) game developers.

Catching up on past performance

Vinanti’s activity was already discovered in 2011. The majority of the victims come from the video game and software industry, but the group has also made contact with organisations in the health and education sectors.

The threat player is known for its attacks on supply chains, Trojan horses used by millions of users (Asus LiveUpdate, CCleaner) or the financial sector (NetSarang).

In February, researchers from the cyber security company ESET discovered a new backdoor with regard to Winnti. Two variants of this malware have been discovered on the servers of many massively multiplayer online game (MMO) developers in South Korea and Taiwan.

The security company is aware of at least one case in which the perpetrator of the threat may have endangered the victim’s building system. If implemented successfully, Winnti could have introduced malware into the video game’s executable file.

In another case, game servers have been compromised, allowing attackers to manipulate in-game currency for financial gain – ESET.

In its report today, ESET reports that a pile of evidence found in these attacks points directly to Vinnie. Despite the novelty of PipeMon, the back door was signed with a certificate from a video game company that was attacked by a threatening player in 2018.

New PipeMon malware uses Windows Print Processors to persist.

That’s not all. The hackers reused some of the command and control (C2) zones observed in other campaigns, as well as the theft of user IDs previously observed in other Winnti victims.

Staying active in the system

Of the two variants of PipeMon that were discovered, the researchers could only install one when it was installed and became stable.

The first step of PipeMon consists of a password protected RARSFX executable file embedded in the .rsrc section of the boot installation – ESET.

To ensure that the malware remains active on the systems, Winnti has used Windows print processors (DLLs) that convert the data in a print job into a format that can be read by the print monitor.

The malicious DLL downloader is located where the print processors are and registers as an alternative print processor. This is done by changing one of the two registry values (a typing error in the registry key does not affect the installation) :

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = DEment.dll

HKLMSYSTEMCurrentControlSetControlEnvironmentsWindows x64Print Processorslltdsvc1Driver = EntAppsvc.dll

The malware then restarts the print pooler service to download the malicious process. Since the service starts every time the computer is turned on, consistency is ensured.

ESET notes that a similar technique has been observed in the DePriMon bootloader, but traders believe that the way PipeMon works is not yet documented.

Research has shown that PipeMon is a modular rear door where each part is a DLL with a different functionality.

They are encoded on the disk and hidden under the innocent names below. The user commands can load other modules if necessary.

  • banner.bmp
  • Certificate.certificate
  • .hwp license
  • JSONDIU7c9djE
  • B0SDFUWEkNCj.logN

ESET notes that the updated version of PipeMon was probably rewritten from scratch, although they followed the same code structure.

Over the past ten years, Winnti has expanded its arsenal of malicious resources and carried out attacks on various targets. His passion for gaming companies and supply chain attacks is also reflected in his recent activities.