An adjunct to the ShadowHammer campaign has been uncovered that has video games being implanted with malware in a similar manner as was done with ASUS computers.Kaspersky Labs’ GReAT team previously disclosed ShadowHammer in March, after discovering the supply chain attack in January, but this time it tracked a case from the creator of a failed video game to the malicious code working its way into a much more popular and well-received title.“In our search for similar malware, we came across other
digitally signed binaries from three other vendors in Asia,” Kaspersky
said.The trail seemingly began in 2012 when the game zombie
apocalypse game The War Z was released to the Steam Store by OP Productions. In
April 2013 the game’s servers were compromised and Kaspersky theorizes its code,
containing the malware, was then released to the public at a later date and
likely picked up by other game makers to give them a head start developing
their own zombie game. One such company may have been the Thailand-based Innovative Extremist Co. LTD, which is partnered with another Thai company, Electronics Extreme Company Limited. The former company apparently began to work on a game and that work was then picked up by Electronics Extreme which released a game entitled Infestation: Survivor Stories that Kaspersky said was panned so badly it was taken offline in December 2016.“Notably, the certificate from Innovative Extremist that was
used to sign Infestation is currently
revoked,” Kaspersky said.After this debacle ran its course the South Korean game
developer Zepetto Co. managed to place several executable files, and the
malware, into its popular title PointBlank.“All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized,” the report said.While the code injection taking place into the games is
similar to ASUS’, basically through modification of commonly used functions
such as C runtime, the actual implementation is quite different. Where
the attackers originally tampered with an ASUS binary from 2015 and injected
code, with the games the malicious code seems to have been neatly compiled into
the program, and in most cases starts at the beginning of the code section as
if it had been added even before the legitimate code.“This indicates that the attackers either had access to the
source code of the victim’s projects or injected malware on the premises of the
breached companies at the time of project compilation,” Kaspersky found.The malware does do a series of checks before proceeding.
After using the backdoor it checks if any unwanted processes are running, along
with if the computer ID is Chinese or Russia, and if so does not execute. If
the device passes the checks a great deal of the computer’s information is
gathered including network adapter MAC address, system username, system
hostname and IP address and Windows version.This is all sent to the command and control server and then
the malware waits for a signal to execute.Kaspersky noted that supply chain attacks are not unusual nor
should digital certs not be trusted, but some additional steps need to be
taken.“We definitely need to investigate all strange or anomalous
behavior, even by trusted and signed applications. Software vendors should
introduce another line in their software building conveyor that additionally
checks their software for potential malware injections even after the code is
digitally signed,” Kaspersky said.Michael Thelander, director of product marketing at Venafi, agreed, adding, “This weaponization of code signing is direct evidence that machine identities are a beach-head for cyber criminals. The only way to protect against these kinds of attacks is for every software development organizations to make sure they are properly protected."
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds