Kaspersky dan ESET baru-baru ini mengkonfirmasi serangan lainnya dari malware yang pada tahun lalu sempat menginfeksi hampir satu juta pengguna komputer ASUS melalui Live Update tool.

Hal ini dilaporkan dari wired (via Game Rant), dimana malware tersebut baru-baru ini diketahui juga sempat menyerang Microsoft Visual Studio development tool. Setidaknya ada tiga developer yang dikonfirmasi menggunakan alat pengembangan dengan versi yang sudah terinfeksi malware tersebut dalam gamenya, dan setidaknya sudah ada lebih dari 92 ribu komputer yang terverifikasi terinfeksi malware tersebut.

Salah satu developer yang diketahui terkena serangan malware tersebut ternyata tidak begitu asing bagi audiens Indonesia, yakni Zepetto dengan game shooter populernya, Point Blank. Developer lainnya adalah Electronics Extreme dengan game berjudul Infestation, dan satu developer lagi yang belum diungkapkan identitasnya.

ESET kemudian merincikan bahwa komputer-komputer yang terverifikasi terkena malware tersebut sebagian besar berasal dari Asia. Dimana 55% berasal dari Thailand, 13% berasal dari Filipina dan Taiwan, dan persentase yang lebih kecil berasal dari Hongkong, Vietnam dan Indonesia.

Lebih lanjut, malware tersebut diketahui memiliki desain untuk tidak mempengaruhi komputer dengan bahasa Simplified Chinese, dimana hal ini mengindikasikan kuat bahwa virus tersebut berasal dari China.

 
Operation ShadowHammer: a high-profile supply chain attack

In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia.


One of these vendors is a game development company from Thailand known as Electronics Extreme Company Limited. The company has released digitally signed binaries of a video game called “Infestation: Survivor Stories”. It is a zombie survival game in which players endure the hardships of a post-apocalyptic, zombie-infested world. According to Wikipedia, “the game was panned by critics and is considered one of the worst video games of all time“. The game servers were taken offline on December 15, 2016.”

The history of this videogame itself contains many controversies. According to Wikipedia, it was originally developed under the title of “The War Z” and released by OP Productions which put it in the Steam Store in December 2012. In April 4, 2013, the game servers were compromised, and the game source code was most probably stolen and release to the public.

It seems that certain videogame companies picked up this available code and started making their own versions of the game. One such version (md5: de721e2f055f1b203ab561dda4377bab) was digitally signed by Innovative Extremist Co. LTD., a company from Thailand that currently provides web & IT infrastructure services. The game also contains a logo of Electronics Extreme Company Limited with a link to their website. The homepage of Innovative Extremist also listed Electronics Extreme as one of their partners.

Notably, the certificate from Innovative Extremist that was used to sign Infestation is currently revoked. However, the story does not end here. It seems that Electronics Extreme picked up the video game where Innovative Extremist dropped it. And now the game seems to be causing trouble again. We found at least three samples of Infestation signed by Electronics Extreme with a certificate that must be revoked again.

We believe that a poorly maintained development environment, leaked source code, as well vulnerable production servers were at the core of the bad luck chasing this videogame. Ironically, this game about infestation brought only trouble and a serious infection to its developers.

Several executable files from the popular FPS videogame PointBlank contained a similar malware injection. The game was developed by the South Korean company Zepetto Co, whose digital signature was also abused. Although the certificate was still unrevoked as at early April, Zepetto seems to have stopped using the certificate at the end of February 2019.

All these cases involve digitally signed binaries from three vendors based in three different Asian countries. They are signed with different certificates and a unique chain of trust. What is common to these cases is the way the binaries were trojanized.



The code injection happened through modification of commonly used functions such as CRT (C runtime), which is similar to ASUS case. However, the implementation is very different in the case of the videogame companies. In the ASUS case, the attackers only tampered with a compiled ASUS binary from 2015 and injected additional code. In the other cases, the binaries were recent (from the end of 2018). The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code. Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.

Point Blank Gamers Targeted with Backdoor Malware


The malware hides in the legitimate game downloads, signed with a real certificate; connections to ShadowHammer have been found.

The focus of the APT behind the ShadowHammer supply-chain attack that abused the ASUS computer update function turns out to be wider in scope than previously thought. Researchers have found similar digitally-signed binaries using the videogame industry as a delivery conduit for malware. Victims include fans of the popular first-person shooter game, Point Blank.

Researchers at Kaspersky Lab and ESET have spotted downloads of the affected games that have had backdoors inserted into them. They’re also signed with legitimate digital certificates that adversaries have managed to abuse, which allows the files to skate past antivirus and onto the desktop. So, gaming aficionados that think they’re downloading a cool first-person shooter could instead find themselves as the quarry in a different kind of attack.


This is the same modus operandi seen in Operation ShadowHammer, where more than a million ASUS computer owners worldwide were infected by a backdoor that was delivered inside the legitimate ASUS Live Update Utility (an issue that is now fixed)

ESET, which did a cursory overview of the gaming attacks in March (without naming the affected games), noted that its telemetry shows victims are mostly located in Asia, with Thailand having the largest part of the pie.

“Given the popularity of the compromised application that is still being distributed by its developer, it wouldn’t be surprising if the number of victims is in the tens or hundreds of thousands,” the firm said in an initial writeup, referring to Point Blank.


=======================================================

At this unprecedented scale of operations, it is still a mystery why attackers reduced the impact by limiting payload execution to 600+ victims in the case of ASUS. We are also unsure who the ultimate victims were or where the attackers had collected the victims MAC addresses from. If you believe you are one of the victims, we recommend checking your MAC address using this free tool or online check website

========================================================
so utk skg kalian lbh berhati" krn meskipun download tempat legit masih tetap berbahaya, selalu di sarankan gunakan antivirus dgn database yg sdh teruptodate. sedia payung sebelum hujan, sedia Antivirus sebelum terkena virus,


Sekian thread ane.

Sumur:
Sumur 1
Sumur 2
Sumur 3