Cybersecurity attacks continue to rise as 2021 begins and Covid-19 pandemic continues. The gaming industry has received some special attention from threat actors connected to foreign governments.

A recent report has attributed to APT27 (also known as Emissary Panda) a breach to a major gaming company. The attack uses both in-memory code unpacking and process injection into legitimate operation system processes (msiexec.exe and svchost.exe). To further increase its chances of staying undetected, a signed google binary is used to side-load malicious DLLs.

Attacks using a signed application vulnerable to DLL side-loading have become prevalent in the past year and we suspect these types of attacks will only increase in popularity. The private sector is ill-equipped to handle state-sponsored malware, and if this trend continues traditional security applications would have to be supplemented by other tools and techniques.

Minerva Labs prevents the attack detailed in the report, using our Memory Injection Prevention module. It is worth mentioning that every Minerva client has been protected from this threat since the 2.7 version, which was released back in 2018.

The injection prevented:

Minerva’s Self-unpacking preventing the attacker’s payload:

If your company has been the victim of a malware attack, or you’d like a demo of Minerva Lab’s Anti-Malware solutions, please contact us.