BARIUM targets gaming supply chains

Enterprise security personnel often assume that legitimate software products are inherently trustworthy. If an attacker takes over a legitimate app or service, they gain a level of trust that can allow them to evade detection or have their malicious activities dismissed as false positives. BARIUM, an activity group that has successfully mounted multiple supply chain attacks, continues to abuse software supply channels to reach its targets.

By compromising applications that are often used in enterprise networks, BARIUM has gained access to relatively secure networks. The group has leveraged IT utility software, which are almost always present on systems utilized by IT administrators. These software tools are extremely attractive channels for quickly gaining privileged access and establishing footholds, without causing traffic anomalies and generating detectable events.

The same approach has enabled them to cast a vast opportunistic net that have compromised additional targets. In recent attacks, they have targeted platforms used to develop or distribute popular games in Asia. By leveraging popular games, these software supply chain attacks have given Barium access to a large number of machines, including some corporate devices. As they gained access, they’ve implanted their Winnti backdoor (also detected by Microsoft as Cipduk).

While customers continue to trust products from reputable software vendors, activity groups like BARIUM are ready to abuse this trust. And although the onus to secure supply channels is on software developers and distributors, customers need to incorporate behavioral detections as part of a defense-in-depth strategy and flag trusted applications that exhibit unexpected behavior.

BARIUM targets gaming supply chains

In the recent campaigns affecting gaming apps, BARIUM stayed true to its modus operandi compromising software development and distribution platforms. Through these compromised platforms, they embedded backdoor code into apps that were distributed via downloads or removable media. We have limited information about how they compromised the platforms themselves, but BARIUM has used phishing emails to gain initial access during previous campaigns.

When unsuspecting users run a legitimate app that has been trojanized by BARIUM, embedded backdoor code loads right before the legitimate code runs. End users are often misled into believing that no malicious activity has occurred and that the app is behaving as expected.

BARIUM has used stolen digital certificates to sign trojanized apps and other malware components in their toolkit, allowing them to evade application control technologies. A few of their trojanized apps and malware strains have been found signed with a Comodo certificate that Microsoft has duly removed from its trusted list.

Once installed, the trojanized app basically serves as a first-stage backdoor that connects to remote command-and-control (C&C) URLs. It transmits operating system details and other machine information as base-64 encoded and XOR-encrypted content. Campaign operators can use this reconnaissance info to prepare the second-stage backdoor that the trojanized app downloads and introduces as the main implant.

The main implant installs as a Windows service and as a DLL file in the %SYSTEM% folder using different file names. Some more recent versions of the main implant can request for updated copies of their code from another C&C server. Microsoft detects the main implant and the trojanized app as Cipduk, while it detects other BARIUM implants as Winnti.

BARIUM C&C domains tend to mimic legitimate domains owned by game development companies. This can thwart attempts by security personnel and web protection technologies to identify and block the C&C URLs.

Table of Contents

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new variants and polymorphic copies of this threat.
  • Educate end users about preventing malware infections. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications. 
  • Turn on Windows Defender Firewall to prevent malware infection and stifle propagation.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Turn on attack surface reduction rules, including rules that can block executable files from running unless they meet a prevalence, age, or trusted list criterion and block untrusted and unsigned processes that run from USB.
  • Software developers and publishers should ensure that their build and update infrastructure are secure. They should establish processes that prepare them to respond to supply chain attacks.​

Detection details

Windows Defender Antivirus

Windows Defender Antivirus detects trojanized apps and backdoor implants as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

  • Possible Barium Implant Detected
  • Barium Malicious File Indicator Detected
  • Communication with Barium infrastructure detected

The following alert generically detects suspicious behavior exhibited by software updaters. This alert, however, is not monitored as part of this report.

  • Malicious update
Attack surface reduction rules

These rules can block or audit activity associated with this threat:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block untrusted and unsigned processes that run from USB

Indicators

Files (SHA-1)
Trojanized applications
  • 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b
  • 7f73def251fcc34cbd6f5ac61822913479124a2a
  • dac0bd8972f23c9b5f7f8f06c5d629eac7926269
1st-stage backdoor
  • a045939f53c5ad2c0f7368b082aa7b0bd7b116da
  • a260dcf193e747cee49ae83568eea6c04bf93cb3
  • dde82093decde6371eb852a5e9a1aa4acf3b56ba
  • 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f
  • 44260a1dfd92922a621124640015160e621f32d5
Main backdoor implant
  • 4256fa6f6a39add6a1fa10ef1497a74088f12be0
  • bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81
C&C URLs
  • bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php
  • bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php
  • bugcheck.xigncodeservice.com/Common/Lib/common.php
  • dump.gxxservice.com/common/up/up_base.php
  • nw.infestexe.com/version/last.php
  • checkin.travelsanignacio.com/

References