The firm released a report today explaining that malware called Winnti targeted the gaming companies with the capability to digitally sign itself in using stolen certificates — a way for it to fly into systems under the radar.
“The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors,” Kaspersky Lab explained in a blog post. “In addition, they are very interested in how network infrastructure, including the production of gaming servers, is set up, and new developments such as conceptual ideas, design, and more.”
Kaspersky first came into contact with the malware when a “popular online game” contacted security researchers to check out a virus that had spread to its users through an update server. The researchers discovered that the malware wasn’t aimed at attacking individual customers, but rather, it was accidentally distributed after the targeted server became infected.
While researching the virus, Kaspersky discovered that the malware was signed by a stolen digital signature and later determined that this is a specialty of the Winnti Group, as Kaspersky calls them. In order to attack all 35 of these companies, the Winnti Group set up over 100 “malicious campaigns” and different command and control servers per target.
Kaspersky believes that the attackers wanted to steal in-game currency and sell it for real money at a later time. The group also likely wanted gaming source code to find vulnerabilities or pirate games.
The majority of the targets are located in Southeast Asia, though some infections have been reported in the U.S. The researchers found Chinese characters while researching the malware, leading them to believe the Winnti group has Chinese origins or is at least Chinese-speaking.