ShadowHammer code found in several video games

An adjunct to the ShadowHammer campaign has been uncovered that has video games being implanted with malware in a similar manner as was done with ASUS computers.

Kaspersky Labs’ GReAT team previously disclosed ShadowHammer in March, after discovering the supply chain attack in January, but this time it tracked a case from the creator of a failed video game to the malicious code working its way into a much more popular and well-received title.

“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky said.

The trail seemingly began in 2012 when the game zombie apocalypse game The War Z was released to the Steam Store by OP Productions. In April 2013 the game’s servers were compromised and Kaspersky theorizes its code, containing the malware, was then released to the public at a later date and likely picked up by other game makers to give them a head start developing their own zombie game.

One such company may have been the Thailand-based Innovative Extremist Co. LTD, which is partnered with another Thai company, Electronics Extreme Company Limited. The former company apparently began to work on a game and that work was then picked up by Electronics Extreme which released a game entitled Infestation: Survivor Stories that Kaspersky said was panned so badly it was taken offline in December 2016.

“Notably, the certificate from Innovative Extremist that was used to sign Infestation is currently revoked,” Kaspersky said.

After this debacle ran its course the South Korean game developer Zepetto Co. managed to place several executable files, and the malware, into its popular title PointBlank.

“All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized,” the report said.

While the code injection taking place into the games is similar to ASUS’, basically through modification of commonly used functions such as C runtime, the actual implementation is quite different. Where the attackers originally tampered with an ASUS binary from 2015 and injected code, with the games the malicious code seems to have been neatly compiled into the program, and in most cases starts at the beginning of the code section as if it had been added even before the legitimate code.

“This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation,” Kaspersky found.

The malware does do a series of checks before proceeding. After using the backdoor it checks if any unwanted processes are running, along with if the computer ID is Chinese or Russia, and if so does not execute. If the device passes the checks a great deal of the computer’s information is gathered including network adapter MAC address, system username, system hostname and IP address and Windows version.

This is all sent to the command and control server and then the malware waits for a signal to execute.

Kaspersky noted that supply chain attacks are not unusual nor should digital certs not be trusted, but some additional steps need to be taken.

“We definitely need to investigate all strange or anomalous behavior, even by trusted and signed applications. Software vendors should introduce another line in their software building conveyor that additionally checks their software for potential malware injections even after the code is digitally signed,” Kaspersky said.

Michael Thelander, director of product marketing at Venafi, agreed, adding, “This weaponization of code signing is direct evidence that machine identities are a beach-head for cyber criminals. The only way to protect against these kinds of attacks is for every software development organizations to make sure they are properly protected."