{"id":340,"date":"2019-05-16T17:08:00","date_gmt":"2019-05-16T15:08:00","guid":{"rendered":"https:\/\/lab52.es\/blog\/?p=340"},"modified":"2019-09-24T09:04:22","modified_gmt":"2019-09-24T07:04:22","slug":"winnti-group-geostrategic-analysis-and-ttp","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/winnti-group-geostrategic-analysis-and-ttp\/","title":{"rendered":"Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)"},"content":{"rendered":"\n

Executive Summary<\/strong><\/h2>\n\n\n\n

China is one of the world powers with more presence within the international market of the gaming sector, controlling the Southeast Asian market and even more than half of the global market of the Gaming sector. <\/p>\n\n\n\n

Winnti Group is currently considered to be an APT group allegedly attributed to the government of China ([1]). Among its various targets, it specializes in designing and executing cyber-espionage operations for companies in the Gaming sector in order to collect classified information on Game Design.<\/p>\n\n\n\n

Geostrategic analysis of China and Winnti Group’s cyber attacks on Thailand’s gaming industry:<\/strong><\/h2>\n\n\n\n

The increase in cyber-attacks within Southeast Asian countries is correlating with the progressive shift in the accumulation of the Gross Domestic Product towards the same area of Southeast Asia. The forecast on the evolution of the global economy can be seen reflected in the estimates of the percentages of GDP (Gross Domestic Product) or GDP (Gross Domestic Product) shown below ([2]):<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 1 The Global Economy\u2019s shifting centre of gravity. <\/em><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 2 Forecast of the center of gravity movement of the global economy<\/em><\/p>\n\n\n\n

As the percentages on the map show, the evolution of the global distribution of GDP will be concentrated in the countries of Southeast Asia. In this same area, industry and the service sector will increase considerably by 2045. Innovations within the IT sector are and will continue to be highly confidential information for those companies and States that maintain an interest in economic control over the Southeast Asian area ([3]).<\/p>\n\n\n\n

The “gaming” sector has acquired a high relevance within the\ninternational market. The countries of Southeast Asia have acquired significant\nrelevance in relation to their design and subsequent production. ([4]) As can be seen in the following graph, the evolution of the\nprofitability of the global market of the gaming sector has been remarkably\nbeneficial and with a clear forecast of growth:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 3 The Global Gaming Market<\/em><\/p>\n\n\n\n

Within the constant growth of the sector, it can be seen that the\nsubsector of the “gaming mobile sector” grows especially faster\ncompared to Gaming PC or the videogames “console”.<\/p>\n\n\n\n

The following graph shows the generation of benefits by global regions:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 4 Distribution of the gaming market<\/em><\/p>\n\n\n\n

The group of countries in the Asia-Pacific region has generated up to $71.4 billion, more than half of which has been generated by China ($37 Bn), surpassing the annual profits of the US within the “gaming” sector ([5 ]). In Southeast Asia, China controls 64% of sales related to the “Gaming” sector. Its main regional competitor is Japan and South Korea.<\/p>\n\n\n\n

Supposedly, the Chinese government, with the intention of maintaining growth and control within the international “gaming” market, has been attributed links with the activity of the APT Winnti Group. This group has as one of its main objectives to collect classified information from the “Game Designers” of the organizations of the gaming sector ([6]). <\/p>\n\n\n\n

The ESET company has published an investigation about a Winnti Group campaign where the company “Thai developer Electronics Extreme” was cyber-attacked and could have distributed infected versions of its product called “Infestation Gameplay”. As the following graph shows, it can be seen that the highest percentage of infected products have been distributed in Thailand. The percentages published by ESET are as follows ([1]):<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Illustration 4 Countries most infected by the Winnti Group campaign<\/em><\/p>\n\n\n\n

The graph above shows a high percentage of cyber-attacks by the Winnti Group against companies in the gaming sector in Thailand ([1]). One of the most unique characteristics of the gaming sector within Thailand is that the companies are not global or large multinationals. The vast majority of companies in Thailand\u2019s gaming sector are SMEs with Thai capital. However, these same companies usually work with international organizations such as Nintendo or Xbox, among others. Another feature of high value within the gaming market in Thailand are the companies focused on the behavioral study of videogame consumers, such as “Asiasoft”. The Thai gaming industry may be of high interest to a state in terms of cyber espionage, since its collaboration with large international companies and its research on gaming consumers could be of high value to the international gamer industry ([7]).<\/p>\n\n\n\n

<\/h2>\n\n\n\n

<\/h2>\n\n\n\n

Conclusions<\/strong><\/h2>\n\n\n\n

As we could realize in this\nresearch, almost all the sectors would be a relevant target for a threat group.\nCurrently, the globalized market is able to interconnect all the companies of a\nspecific field. This fact means that, day by day, the targets of the threat\ngroups are more extended and specialized. Apparently, the gaming sector would look\nlike as a non-significant sector in the worldwide economy. However, as we could\nanalyze there is an APT specialized within it. We conclude that all the sectors\nare relevant in the current globalized economy and consequently would be a potential\ntarget for some APT.<\/p>\n\n\n\n

Another relevant conclusion in this research, it is the strategy applied by Winnti Group to compromise as much organizations as they can. The campaign aimed an important gaming supply chain organization to reach high rates of victims, as this organization distributed massively the infected product. Wherefore, the national and international suppliers are an important target for many APT.<\/p>\n\n\n\n

<\/h2>\n\n\n\n

<\/h2>\n\n\n\n

Indicators of Compromise<\/strong><\/h2>\n\n\n\n

Samples of compromised files ([1]): <\/strong>
<\/p>\n\n\n\n
SHA-1<\/td>Compile Time (UTC)<\/td>RC4 Key<\/td>PayloadSH1<\/td><\/tr>

7cf41b1acfb05064518a2ad9e4c16fde9185cd4b <\/td>
Tue Nov 13 10:12:58 2018 <\/td>
1729131071 <\/td>
8272c1f4 <\/td><\/tr>

7f73def251fcc34cbd6f5ac61822913479124a2a <\/td>
Wed Nov 14 03:50:18 2018 <\/td>
19317120 <\/td>
44260a1d <\/td><\/tr>

dac0bd8972f23c9b5f7f8f06c5d629eac7926269 <\/td>
Tue Nov 27 03:05:16 2018 <\/td>

1729131071
<\/td>
8272c1f4 <\/td><\/tr><\/tbody><\/table>\n\n\n\n

<\/p>\n\n\n\n

Payload samples: <\/p>\n\n\n\n
SHA-1<\/strong><\/td>C&C Server URL<\/strong><\/td><\/tr>

a045939f53c5ad2c0f7368b082aa7b0bd7b116da <\/td>
https:\/\/bugcheck.xigncodeservice[.]com\/Common\/Lib\/Common_bsod.php <\/td><\/tr>
a260dcf193e747cee49ae83568eea6c04bf93cb3 <\/td> https:\/\/bugcheck.xigncodeservice[.]com\/Common\/Lib\/Common_Include.php <\/td><\/tr>
dde82093decde6371eb852a5e9a1aa4acf3b56ba <\/td> https:\/\/bugcheck.xigncodeservice[.]com\/Common\/Lib\/common.php <\/td><\/tr>
8272c1f41f7c223316c0d78bd3bd5744e25c2e9f <\/td>https:\/\/nw.infestexe[.]com\/version\/last.ph <\/td><\/tr>
44260a1dfd92922a621124640015160e621f32d5 <\/td>https:\/\/dump.gxxservice[.]com\/common\/up\/up_base.php <\/td><\/tr><\/tbody><\/table>\n\n\n\n

<\/p>\n\n\n\n

Dropper download by: api.goallbandungtravel[.]com.<\/p>\n\n\n\n
ID<\/strong><\/td>Description<\/strong><\/td><\/tr>
T1195<\/td>
Supply Chain Compromise

<\/td><\/tr>
T1050<\/td>
New Service

<\/td><\/tr>
T1022<\/td>
Data Encrypted

<\/td><\/tr>
T1079 <\/td>
Multilayer Encryption

<\/td><\/tr>
T1032<\/td>
Standard Cryptographic Protocol (RC4, RC5)
<\/td><\/tr>
T1043<\/td>
Commonly Used Port (80,443)

<\/td><\/tr>
T1009<\/td>
Binary Padding

<\/td><\/tr><\/tbody><\/table>\n\n\n\n

<\/h2>\n\n\n\n

<\/h2>\n\n\n\n

Mitre ATT&TTP Matrix<\/strong><\/h2>\n\n\n\n

In the following table you can check the TTPs associated with this group following the ATT & CK Framework of MITRE:<\/p>\n\n\n\n
Domain<\/strong><\/td>ID<\/strong><\/td>Name<\/strong><\/td>Description<\/strong><\/td><\/tr>
Enterprise<\/td>T1195<\/td>Supply Chain Compromise<\/td>Winnti Has Compromised software provider companies<\/td><\/tr>
Enterprise <\/td>T1085<\/td>Rubdll32<\/td>Winnti modifies Windows Dll files to persistance<\/td><\/tr>
Enterprise <\/td>T1050<\/td>New Service<\/td>Winnti creates a new service that runs in background<\/td><\/tr>
Enterprise <\/td>T1060<\/td>Registry Run Keys \/ Start folder<\/td>Winnti modify Windows Registry to check if should stop<\/td><\/tr>
Enterprise <\/td>T1102<\/td>Web Service<\/td>Winnti contact C&C<\/td><\/tr>
Enterprise <\/td>T1140<\/td>Deobfuscate \/ Decode Files or Information <\/td>Winnti send information ofuscated<\/td><\/tr>
Enterprise<\/td>T1012<\/td>Query Registry<\/td>Winnti modifies Windows dll files to persistence<\/td><\/tr>
Enterprise <\/td>T1024<\/td>Custom Cryptographic<\/td>Winnti communicates the C&C with base64-encoded data<\/td><\/tr>
Enterprise <\/td>TT1001<\/td>Data Obfuscation<\/td> Winnti uses Cryptographic Protocol (RC4, RC5) <\/td><\/tr>
Enterprise <\/td>T1219 <\/td>Remote Access Tools<\/td>Winnti installs backdoor that communicates with C&C to download executable code<\/td><\/tr><\/tbody><\/table>\n\n\n\n

<\/h2>\n\n\n\n

<\/p>\n\n\n\n

References:<\/strong><\/h2>\n\n\n\n

[1] L\u00e9veill\u00e9, M. E. (2019, 11 March). Gaming industry still in the scope of attackers in\nAsia. https:\/\/www.welivesecurity.com\/2019\/03\/11\/gaming-industry-scope-attackers-asia\/<\/a>\n<\/p>\n\n\n\n

 [2] Barnab\u00e1s, C. S. A. B. A. (2017). CHINA\u2019S RISE AND THE GEOPOLITICS OF SOUTHEAST\nASIA. Distant Magazine.<\/p>\n\n\n\n

[3] BBVA. (2014). The BBVA Research Geo\nWorld Report A Visual Guide to Geopolitical Affairs. https:\/\/www.bbvaresearch.com\/wp-content\/uploads\/2014\/12\/Geo-World-Report-2H-2014.pdf<\/a> <\/p>\n\n\n\n

[4] Newzoo. (2018). Mobile Revenues\nAccount for More Than 50% of the Global Games Market as It Reaches $137.9\nBillion in 2018.https:\/\/newzoo.com\/insights\/articles\/global-games-market-reaches-137-9-billion-in-2018-mobile-games-take-half\/<\/a> <\/p>\n\n\n\n

[5] Global Game Services. (2017, 1 January).\nAsia Game Markets | LAI Global Game Services. Retrieved from https:\/\/www.lai.com\/en\/asia-game-markets<\/a><\/p>\n\n\n\n

[6] Kaspersky\nLab Global Research and Analysis Team. (2013). Winnti. Retrieved from https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2018\/03\/20134508\/winnti-more-than-just-a-game-130410.pdf<\/a>\n<\/p>\n\n\n\n

[7] <\/strong>Fung, A. (2016). Global Game Industries\nand Cultural Policy (3rd<\/sup> edit.). Hong Kong.<\/p>\n","protected":false},"excerpt":{"rendered":"

Executive Summary China is one of the world powers with more presence within the international market of the gaming sector, controlling the Southeast Asian market and even more than half of the global market of the Gaming sector. Winnti Group is currently considered to be an APT group allegedly attributed to the government of China […]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-340","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorised","7":"entry","8":"has-post-thumbnail"},"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/340"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=340"}],"version-history":[{"count":20,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/340\/revisions"}],"predecessor-version":[{"id":461,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/340\/revisions\/461"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}