The PassCV group has mounted an ongoing offensive against online gaming platforms, including the Cocos2d gaming framework, used in popular mobile games such as Badland; and the Unity engine, a gaming engine licensed across multiple gaming platforms and recently used in popular mobile games like Pokémon Go.
According to the Cylance SPEAR team, a large cluster of activity is being specifically targeted at game developers using malware containing code to harvest stored password information as well as log keystroke data. And, the group is using 18 previously undisclosed stolen Authenticode certificates, which were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia.
“The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code,” the researchers said, in an analysis. “Overall, the antivirus (AV) industry has barely kept pace with the PassCV group, and although some samples and families are well detected, the majority of the signed samples continue to have extremely low detection rates.”
Interestingly, not all of the certificates were stolen from game companies. It appears that the group had also started to branch out into signed adware.
“This may seem odd at first, but most security researchers are somewhat numb to the consistent barrage of so-called legitimately signed adware, so a more advanced backdoor signed with the same certificate could easily be overlooked,” Cylance researchers said.
The group also uses publicly available remote administration tools (RATs), like ZxShell and Ghost RAT, but SPEAR also detected the use of a custom RAT called Saber. It has an array of capabilities, including DDoS and the ability to hijack and steal in-game account information and items from multiple online gaming platforms. In some rare cases it’s used for click-through advertising fraud.
While the motivations of the attackers aren’t entirely clear, SPEAR believes that the attackers are most likely profiting financially in some way. This could include subverting the in-game economies of the companies they compromise, reselling the stolen code-signing certificates, offering malware signing services or by creating their own private VPN infrastructure from machines within the compromised organizations.
“The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations,” the researchers noted, adding that in recent days, the group has significantly expanded its targets to include victims in the United States, Taiwan, China and Russia.
Photo © Radu Bercan/Shutterstock.com