• Skip to primary navigation
  • Skip to main content
  • Skip to footer
lab52

lab52

The threat intelligence division of S2 Grupo

  • Home
  • Faq
  • Blog
  • About
  • Contact

Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)

May 16, 2019

Executive Summary

China is one of the world powers with more presence within the international market of the gaming sector, controlling the Southeast Asian market and even more than half of the global market of the Gaming sector.

Winnti Group is currently considered to be an APT group allegedly attributed to the government of China ([1]). Among its various targets, it specializes in designing and executing cyber-espionage operations for companies in the Gaming sector in order to collect classified information on Game Design.

Geostrategic analysis of China and Winnti Group’s cyber attacks on Thailand’s gaming industry:

The increase in cyber-attacks within Southeast Asian countries is correlating with the progressive shift in the accumulation of the Gross Domestic Product towards the same area of Southeast Asia. The forecast on the evolution of the global economy can be seen reflected in the estimates of the percentages of GDP (Gross Domestic Product) or GDP (Gross Domestic Product) shown below ([2]):

Illustration 1 The Global Economy’s shifting centre of gravity.

Illustration 2 Forecast of the center of gravity movement of the global economy

As the percentages on the map show, the evolution of the global distribution of GDP will be concentrated in the countries of Southeast Asia. In this same area, industry and the service sector will increase considerably by 2045. Innovations within the IT sector are and will continue to be highly confidential information for those companies and States that maintain an interest in economic control over the Southeast Asian area ([3]).

The “gaming” sector has acquired a high relevance within the international market. The countries of Southeast Asia have acquired significant relevance in relation to their design and subsequent production. ([4]) As can be seen in the following graph, the evolution of the profitability of the global market of the gaming sector has been remarkably beneficial and with a clear forecast of growth:

Illustration 3 The Global Gaming Market

Within the constant growth of the sector, it can be seen that the subsector of the “gaming mobile sector” grows especially faster compared to Gaming PC or the videogames “console”.

The following graph shows the generation of benefits by global regions:

Illustration 4 Distribution of the gaming market

The group of countries in the Asia-Pacific region has generated up to $71.4 billion, more than half of which has been generated by China ($37 Bn), surpassing the annual profits of the US within the “gaming” sector ([5 ]). In Southeast Asia, China controls 64% of sales related to the “Gaming” sector. Its main regional competitor is Japan and South Korea.

Supposedly, the Chinese government, with the intention of maintaining growth and control within the international “gaming” market, has been attributed links with the activity of the APT Winnti Group. This group has as one of its main objectives to collect classified information from the “Game Designers” of the organizations of the gaming sector ([6]).

The ESET company has published an investigation about a Winnti Group campaign where the company “Thai developer Electronics Extreme” was cyber-attacked and could have distributed infected versions of its product called “Infestation Gameplay”. As the following graph shows, it can be seen that the highest percentage of infected products have been distributed in Thailand. The percentages published by ESET are as follows ([1]):

Illustration 4 Countries most infected by the Winnti Group campaign

The graph above shows a high percentage of cyber-attacks by the Winnti Group against companies in the gaming sector in Thailand ([1]). One of the most unique characteristics of the gaming sector within Thailand is that the companies are not global or large multinationals. The vast majority of companies in Thailand’s gaming sector are SMEs with Thai capital. However, these same companies usually work with international organizations such as Nintendo or Xbox, among others. Another feature of high value within the gaming market in Thailand are the companies focused on the behavioral study of videogame consumers, such as “Asiasoft”. The Thai gaming industry may be of high interest to a state in terms of cyber espionage, since its collaboration with large international companies and its research on gaming consumers could be of high value to the international gamer industry ([7]).

Conclusions

As we could realize in this research, almost all the sectors would be a relevant target for a threat group. Currently, the globalized market is able to interconnect all the companies of a specific field. This fact means that, day by day, the targets of the threat groups are more extended and specialized. Apparently, the gaming sector would look like as a non-significant sector in the worldwide economy. However, as we could analyze there is an APT specialized within it. We conclude that all the sectors are relevant in the current globalized economy and consequently would be a potential target for some APT.

Another relevant conclusion in this research, it is the strategy applied by Winnti Group to compromise as much organizations as they can. The campaign aimed an important gaming supply chain organization to reach high rates of victims, as this organization distributed massively the infected product. Wherefore, the national and international suppliers are an important target for many APT.

Indicators of Compromise

Samples of compromised files ([1]):

SHA-1Compile Time (UTC)RC4 KeyPayloadSH1

7cf41b1acfb05064518a2ad9e4c16fde9185cd4b

Tue Nov 13 10:12:58 2018

1729131071

8272c1f4

7f73def251fcc34cbd6f5ac61822913479124a2a

Wed Nov 14 03:50:18 2018

19317120

44260a1d

dac0bd8972f23c9b5f7f8f06c5d629eac7926269

Tue Nov 27 03:05:16 2018


1729131071

8272c1f4

Payload samples:

SHA-1C&C Server URL

a045939f53c5ad2c0f7368b082aa7b0bd7b116da

https://bugcheck.xigncodeservice[.]com/Common/Lib/Common_bsod.php
a260dcf193e747cee49ae83568eea6c04bf93cb3 https://bugcheck.xigncodeservice[.]com/Common/Lib/Common_Include.php
dde82093decde6371eb852a5e9a1aa4acf3b56ba https://bugcheck.xigncodeservice[.]com/Common/Lib/common.php
8272c1f41f7c223316c0d78bd3bd5744e25c2e9f https://nw.infestexe[.]com/version/last.ph
44260a1dfd92922a621124640015160e621f32d5 https://dump.gxxservice[.]com/common/up/up_base.php

Dropper download by: api.goallbandungtravel[.]com.

IDDescription
T1195
Supply Chain Compromise

T1050
New Service

T1022
Data Encrypted

T1079
Multilayer Encryption

T1032
Standard Cryptographic Protocol (RC4, RC5)
T1043
Commonly Used Port (80,443)

T1009
Binary Padding

Mitre ATT&TTP Matrix

In the following table you can check the TTPs associated with this group following the ATT & CK Framework of MITRE:

DomainIDNameDescription
EnterpriseT1195Supply Chain CompromiseWinnti Has Compromised software provider companies
Enterprise T1085Rubdll32Winnti modifies Windows Dll files to persistance
Enterprise T1050New ServiceWinnti creates a new service that runs in background
Enterprise T1060Registry Run Keys / Start folderWinnti modify Windows Registry to check if should stop
Enterprise T1102Web ServiceWinnti contact C&C
Enterprise T1140Deobfuscate / Decode Files or Information Winnti send information ofuscated
EnterpriseT1012Query RegistryWinnti modifies Windows dll files to persistence
Enterprise T1024Custom CryptographicWinnti communicates the C&C with base64-encoded data
Enterprise TT1001Data Obfuscation Winnti uses Cryptographic Protocol (RC4, RC5)
Enterprise T1219 Remote Access ToolsWinnti installs backdoor that communicates with C&C to download executable code

References:

[1] Léveillé, M. E. (2019, 11 March). Gaming industry still in the scope of attackers in Asia. https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

 [2] Barnabás, C. S. A. B. A. (2017). CHINA’S RISE AND THE GEOPOLITICS OF SOUTHEAST ASIA. Distant Magazine.

[3] BBVA. (2014). The BBVA Research Geo World Report A Visual Guide to Geopolitical Affairs. https://www.bbvaresearch.com/wp-content/uploads/2014/12/Geo-World-Report-2H-2014.pdf

[4] Newzoo. (2018). Mobile Revenues Account for More Than 50% of the Global Games Market as It Reaches $137.9 Billion in 2018.https://newzoo.com/insights/articles/global-games-market-reaches-137-9-billion-in-2018-mobile-games-take-half/

[5] Global Game Services. (2017, 1 January). Asia Game Markets | LAI Global Game Services. Retrieved from https://www.lai.com/en/asia-game-markets

[6] Kaspersky Lab Global Research and Analysis Team. (2013). Winnti. Retrieved from https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf

[7] Fung, A. (2016). Global Game Industries and Cultural Policy (3rd edit.). Hong Kong.

Dex

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related

Bypassing Qakbot Anti-Analysis
March 24, 2023
Tags: malware, qakbot
Cyber Threat Intelligence Report – Trends Q4 2022
February 06, 2023
Tags: Cybersecurity, Intelligence, Q4, Trends, vulnerabilities
Analyzing the encryption method of emerging ransomware families
November 29, 2022
Tags: AXLocker, Decryption, ransomware

Footer

Copyright &copy Lab52 2019 by S2 Grupo | Legal notice | Cookie policy | Privacy policy