The efforts of the APT behind the ShadowHammer supply-chain attack that abused the ASUS computer update function turns out to be wider in scope than previously thought. Researchers have found similar digitally-signed binaries using the videogame industry as a delivery conduit. Victims include fans of the popular first-person shooter game, Point Blank.
Researchers at Kaspersky Lab and ESET have spotted downloads of the affected games that have had backdoors inserted into them. They’re also signed with legitimate digital certificates that adversaries have managed to abuse, which allows the files to skate past antivirus and onto the desktop. So, gaming aficionados that think they’re downloading a cool first-person shooter could instead find themselves as the quarry in a different kind of attack.
This is the same modus operandi seen in Operation ShadowHammer, where more than a million ASUS computer owners worldwide were infected by a backdoor that was delivered inside the legitimate ASUS Live Update Utility (an issue that is now fixed).
ESET, which did a cursory overview of the gaming attacks in March (without naming the affected games), noted that its telemetry shows victims are mostly located in Asia, with Thailand having the largest part of the pie.
“Given the popularity of the compromised application that is still being distributed by its developer, it wouldn’t be surprising if the number of victims is in the tens or hundreds of thousands,” the firm said in an initial writeup, referring to Point Blank.
Point Blank and Infestation
Kaspersky Lab released additional details on the attacks this week, linking them to the recent ASUS supply-chain offensive.
It found that several executable files for installing Point Blank have been injected with a backdoor. The files are signed with a legitimate, unrevoked certificate developed by the South Korean company behind the game, Zepetto Co. The certificate was still unrevoked as at early April, according to Kaspersky Lab, although Zepetto seems to have stopped using the certificate at the end of February 2019.
Another victim is a zombie survival game called Infestation: Survivor Stories (a.k.a The War Z), developed by Electronics Extreme, a gaming company from Thailand. After a 2013 compromise of its game servers, “the game source code was most probably stolen and released to the public,” researchers said. “It seems that certain videogame companies picked up this available code and started making their own versions of the game.”
As did malware developers — so far, Kaspersky Lab researchers said that they have found at least three weaponized samples of Infestation signed by unrevoked, legitimate signatures belonging to Electronics Extreme.
“We believe that a poorly maintained development environment, leaked source code, as well vulnerable production servers were at the core of the bad luck chasing this videogame,” the researchers said.
Michael Thelander, director of product marketing, at Venafi, said via email that “this weaponization of code signing is direct evidence that machine identities are a beach-head for cybercriminals.” He added, “The only way to protect against these kinds of attacks is for every software development organizations to make sure they are properly protected.”
Shared Infection Path
All the videogame cases involve digitally signed binaries; and while they are signed with different certificates and a unique chain of trust for each, they share a common trojanization process, researchers said.
“The malicious code…seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code,” they said. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”
The backdoor payload included in the compromised videogames is simple, according to Kaspersky and ESET researchers.
After making system checks (it checks for administrative privileges, and doesn’t proceed if the system language ID is Simplified Chinese or Russian, for instance), it submits system information to the C2 server with a POST request, and then sends a GET request to receive a command to execute. The backdoor is straightforward: It can download additional data or malware, or it can disable itself.
Connections to ShadowHammer, ASUS
Kaspersky Lab researchers noted the technical similarities between the gaming attacks and the ASUS incident – suggesting that the same threat group is behind all of them.
“Although the ASUS case and the videogame industry cases contain certain differences, they are very similar,” according to Kaspersky. “For instance, the algorithm used to calculate API function hashes (in trojanized games) resembles the one used in the back-doored ASUS Updater tool.”
Also, like the ASUS case, the code injection happened through a modification of commonly used functions such as CRT (C runtime), according to the team.
“Besides that, our behavior engine identified that ASUS and other related samples are some of the only cases where the IPHLPAPI.dll was used from within a shellcode embedded into a PE file,” according to Kaspersky Lab.
Kaspersky Lab previously said that the BARIUM advanced persistent threat (APT) group is behind the ASUS effort, and now appears to also be responsible for the gaming targets. BARIUM, a Chinese state player that also goes by APT17, Axiom and Deputy Dog, was previously linked to the ShadowPad and CCleaner incidents, which were also supply-chain attacks that used software updates to sneak onto machines.
In the 2017 ShadowPad attack, the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor. In the next incident, also in 2017, software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor.
ESET noted that the motivation behind the attacks remain murky. Targeting gamers wouldn’t seem to be the typical work of an APT. “Is it simply financial gain? Are there any reasons why the … affected products are from Asian developers and for the Asian market? Do these attackers use a botnet as part of a larger espionage operation?”
Regardless, the gaming targets highlight a growing issue within the software development supply chain.
“So, was it a developer from a videogame company that installed the trojanized version of the development software, or did the attackers deploy the trojan code after compromising the developer’s machine?” Kaspersky Lab researchers said. “This currently remains unknown. While we could not identify how the attackers managed to replace key files in the integrated development environment, this should serve as a wakeup call to all software developers.”
“No one should be surprised at how extensive this attack is,” Venafi’s Thelander added. “Due to their extensive reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”