Woburn, MA – April 11,
Today Kaspersky Lab’s team of experts
published a detailed
research report that analyzes a sustained cyberespionage campaign conducted
by the cybercriminal organization known as “Winnti.”
to Kaspersky Lab’s report,
the Winnti group has been attacking companies in the online gaming industry since
2009 and is currently still active. The group’s objectives are stealing digital
certificates signed by legitimate software vendors in addition to intellectual
property theft, including the source code of online game projects.
first incident that drew attention to the Winnti group’s malicious activities occurred
in the autumn of 2011, when a malicious Trojan was detected on a large number
of end-user computers across the globe. The clear link between all of the
infected computers is that that they were used to play a popular online game.
Shortly after the incident, details emerged that the malicious program which
had infected the users’ computers was part of a regular update from the gaming
company’s official server. Infected users and members of the gaming community
suspected the computer game publisher was installing the malware to spy on its
customers. However, it later became clear that the malicious program was
installed on the players’ computers by accident, and that the cybercriminals
were actually targeting the computer game company itself.
response, the computer game publisher that owned the servers which spread the
Trojan to its users asked Kaspersky Lab to analyze the malicious program. The
Trojan turned out to be a DLL library compiled for a 64-bit Windows environment
and used a properly signed malicious drive. It was a fully functionally Remote
Administration Tool (RAT), which gives attackers the ability to control a
victim’s computer without the user’s knowledge. The finding was significant as this Trojan was the first malicious
program on a 64-bit version of Microsoft Windows 7 that had a valid digital
Lab’s experts began analyzing the Winnti group’s campaign and found that more than
30 companies in the online gaming industry had been infected by the Winnti
group, with the majority being software development companies producing online
video games in South East Asia. However, online gaming companies located in
Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus
were also identified as victims of the Winnti group.
addition to industrial espionage, Kaspersky Lab’s experts have identified three
main monetization schemes that could be used by the Winnti group to generate an
the accumulation of in-game currency, such as “runes” or “gold” that’s used by
players and convert the accumulated virtual money into real money;
the stolen source code from online game servers to search for vulnerabilities
inside games to augment and accelerate the manipulation of in-game currency and
its accumulation without suspicion;
the stolen source code from servers of popular online games in order to deploy
their own pirated servers.
Currently the Winnti group is still
active and Kaspersky Lab’s investigation is ongoing. The company’s team of
experts has been diligently working with the IT security community, online
gaming industry and certificate authorities to identify additional infected
servers while assisting with the revocation of stolen digital certificates.
read Kaspersky Lab’s research post and the full report about the Winnti group’s
campaign, including a complete technical analysis of the investigation, please
Kaspersky Lab’s products
detect and neutralize the malicious programs and its variants used by the
Winnti group, classified as Backdoor.Win32.Winnti,
Backdoor.Win64.Winnti, Rootkit.Win32.Winnti and Rootkit.Win64.Winnti.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four vendors
of security solutions for endpoint users*. Throughout its more than 15-year
history Kaspersky Lab has remained an innovator in IT security and provides
effective digital security solutions for large enterprises, SMBs and consumers.
Kaspersky Lab, with its holding company registered in the United Kingdom,
currently operates in almost 200 countries and territories across the globe,
providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint
Security Revenue by Vendor, 2011. The rating was published in the IDC report
"Worldwide Endpoint Security 2012–2016 Forecast and 2011 Vendor Shares
(IDC #235930, July 2012). The report ranked software vendors according to
earnings from sales of endpoint security solutions in 2011.
For the latest in-depth
information on security threat issues and trends, please visit: