PipeMon
APT41, also known as Winnti Group, is a cybercrime organization that has been active since 2011, and over nine years, they have executed devastating attacks against major names in the software and game development industry. The group often relies on trojanized versions of legitimate pieces of software, and one of their signature pieces of malware is the Winnti backdoor, hence the name of the group.
Recently, the Winnti Group engaged in yet another attack against video game companies – this time, their targets were Taiwanese and Korean companies participating in the development of Massive Multiplayer Online (MMO) games that are used by hundreds of thousands of people. However, this attack had a unique touch to it – the Winnti hackers introduced a new piece of malware that cybersecurity products are tracking under the name PipeMon. PipeMon is meant to work like a Trojan backdoor that would enable its operators to execute a wide range of tasks on the compromised system, as well as spread throughout the infected network laterally.
Winnti Hackers Back Attacking Game Development Companies
The PipeMon attacks appeared to serve different purposes – in one of the campaigns, the hackers managed to get illicit access to the company's game server, therefore allowing them to manipulate the game's economy, currency prices and market. This might have allowed them to generate incredible amounts of in-game currency that could then be traded for real money. In another attack, the PipeMon backdoor was planted on a server used to create the build executables for game updates – this may have allowed the Winnti hackers to perform a supply-chain attack by injecting corrupted code in the game's update files. However, there is still no confirmation that this attack has been executed successfully.
The PipeMon uses a very curious mechanic to gain persistence – it plants its code as a 'Print Processor.' This is a legitimate Windows component that is launched whenever the 'Print Spool' service is started. Once running, the PipeMon backdoor will connect to the Command and Control server, and wait for further instructions. The implant is able to fetch hardware and software information about the compromised system, list files, execute remote commands, and collect RDP (Remote Desktop Protocol) info and credentials.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.