X-Industry

Report Date: January 14, 2019                                                  

Summary

Players Unknown Battleground (PUBG) has been identified by Wapack Labs as a large-scale proxy participant in major fraud. It is unclear whether PUBG is a witting or unwitting participant, but it is clear that the PUBG network has been abused for fraudulent purposes.

Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into various botnets. However, the seemingly endless volume of “PUBG bots” indicates a possible backdoor in the PUBG mobile application itself or in the bundled Gvoice program.

Details

Beginning in mid-2018, Wapack Labs began tracking botnet activity targeting numerous organizations. A variety of botnet traffic has been observed however overall trending focused on two categories;

  • The first consisting of botnet attacks using compromised servers and home routers,
  • The second by way of compromised mobile devices. 


In both cases, the compromised device is used as a proxy to connect with endpoints for the purposes of industrial fraud - including mass registration, credential stuffing attacks, or other fraudulent transactions. This report focuses on the category of botnet activity associated with mobile devices and/or computers running Android emulators.

Player Unknown’s Battleground PUBG

PUBG is a massively popular online shooter game and was the biggest game release of 2017. The success of PUBG’s BattleRoyal style of game play led to the creation of similar games like Fortnite, and the adoption of BattleRoyal style gameplay into the competitive ESport arena. PuBG’s success is in part due to the popularity of the mobile version sold by Tencent. Of the 400 million PuBg players, 350 million players use the mobile Tencent version.[1]  

In October of 2017 The China Audio-Video and Digital Publishing Association release a statement discouraging BattleRoyal style games saying they are too violent and deviate from Chinese socialist values.[2] This led to a formal agreement between PUBG and the Chinese government allowing the game to be sold in the country with minor changes through the company Tencent who is the largest publisher of games in China. As of June 2018, the mobile version of the game comprised 88 percent of the 87 million daily players.[3]

The mobile PUBG application can be downloaded from Tencent domain filecdn.igamecj.com [4]. A sibling of this domain, lobby.igamecj.com (49.51.42.110), was also observed in communication with many of the bot IPs on port 17500. This endpoint is used for PUBG chat communications as part of Tencent Cloud’s GVoice chat which is bundled with the game. Also observed as part of this were numerous connections to several hundred Tencent IPs addresses over ports 20000-20002. These are likewise associated with GVoice chat and are used for hosting player chat rooms during gameplay.  Both versions of the PUBG chat traffic are observable in netflow and in open source from log files uploaded to Virus Total from PUBG gamers:

Example of PUBG/Gvoice chat traffic observed from log files:

[5916][1364][20:19:41.034]: GCloud: [GCloud] [2018-11-08 01:20:38 397] | Info | [GCloud] |0x10483390| Connector+Update.cpp:858|handleRecvData| [Connector:0x11568600]: Recv data len:2251, tcp://lobby.igamecj.com:17500

 

 

Example PUBG/Gvoice traffic on port 20001 observed from log files:

[/Users/rdm/ieg_ci/slave/workspace/iGame20/build/Android/jni/../../..//cdnvister/build/Android/jni/../../../src/small_room_agent.cpp(997) JoinRoom()]:[SmallRoomAgent::JoinRoom]:Arg openid 15105966916109608 and url is udp://162.62.16.149:20001,roomID is 12727450649442576151, memberID is 498, roomKey is 4522542966281398, timeout:10000

 

 

Sample netflow records showing bot connections to lobby.igamecj.com (49.51.42.110):

start_time,src_ip_addr,src_cc,dst_ip_addr,dst_cc,proto,src_port,dst_port,tcp_flags,num_pkts,num_octets

"2018-11-13 01:00:32",172.58.19.36,US,49.51.42.110,CN,6,62946,17500,16,9000,360000,,

"2018-11-13 03:34:27",73.93.141.164,US,49.51.42.110,CN,6,31850,17500,16,3000,120000,,

"2018-11-13 06:45:44",49.180.70.172,AU,49.51.42.110,CN,6,58777,17500,16,3000,120000,,

"2018-11-13 08:39:27",49.51.42.110,CN,172.58.11.112,US,6,17500,39229,24,3000,1587000,,

 

Wapack Labs has yet to identify the specific malware component that is responsible for recruiting PUBG gamers into the botnet. The seemingly endless volume of “PUBG bots” indicates a possible backdoor in the PUBG mobile application itself or in the bundled Gvoice program. Other possibilities could be  trojanized mods or a cheats, or a 3rd infected version of PUBG Mobile application itself. While there are a few of these in the wild, the legitimate version of PUBG Mobile can easily be downloaded from Tencent or loaded through the emulator.

There are many anecdotal reports of surreptitious malware installations by Tencent from PUBG mobile players, specifically by users of the Tencent Gaming Buddy emulator which is used to run PUBG mobile on PCs. Several users have also reported that Tencent has bundled cryptocurrency mining software with the Tencent Gaming Buddy. If that latter is true, then this would be a lucrative operation considering there are currently 80 million daily PUBG mobile players.

Conclusion

Analysis is ongoing. However, one thing can be concluded - PUBG gamers are feeding several botnet supply chains. Gamers in general are frequently targeted whether it’s for their processing power as part of cryptocurrency mining operations or for theft of virtual currency used in gaming. PUBG mobile players represent the ideal botnet candidate for several reasons. For one, there is no shortage of them with over 80 million daily players. This ensures a global supply of IP addresses for botnet operators. Second, the mobile version of PUBG is popular among PC players and is enabled through Tencent’s Gaming Buddy emulator. This easily widens the scope devices from mobile devices to PCs.

 The glaring intelligence gap at this point is whether Tencent is knowingly facilitating this activity. While there are anecdotal reports of Tencent downloading malware and cryptocurrency miners to gamers system, a smoking gun has yet to be identified. Wapack Labs will continue analysis of Tencent’s emulator and PUBG as well as 3rd party software.

Appendix A

This section provides technical details on 142K bot IPs observed from 23 October, when daily tracking began.

Top Autonomous systems:

 

Bot ASN

count

AS7922 Comcast Cable Communications, LLC

12768

AS4134 No.31,Jin-rong Street

5770

AS7018 AT&T Services, Inc.

4987

AS701 MCI Communications Services, Inc. d/b/a Verizon Business

3181

AS4837 CHINA UNICOM China169 Backbone

2935

AS20115 Charter Communications

2686

AS22773 Cox Communications Inc.

2496

AS36903 MT-MPLS

2493

AS3320 Deutsche Telekom AG

2486

AS3352 Telefonica De Espana

2389

AS3269 Telecom Italia

2235

AS5089 Virgin Media Limited

2226

AS2856 British Telecommunications PLC

2139

AS209 Qwest Communications Company, LLC

2086

AS5607 Sky UK Limited

2045

AS20001 Time Warner Cable Internet LLC

2006

AS3215 Orange

1851

AS22394 Cellco Partnership DBA Verizon Wireless

1812

AS21928 T-Mobile USA, Inc.

1668

 

 

The following map illustrates geolocations for observed bots. The United States and China were consistently the top two.

Top protocol rankings fluctuated daily however frequently observed ones included the following:

  • HTTP: ports 80,8080,443
  • Bittorrrent: ports 6881-6889,8999, 49152-65534
  • PUBG: ports 17500, 2000-20002
  • VPN: ports 8888,9339
  • Jabber:5222
  • Mail protocols: ports23, 993

 

The following table ranks the most commonly observed hosts seen in communication with the botnet IPs. This data was derived through daily netflow analysis over the course of a month.

 

ip_addr

cc

ASN

Observed bots

Analyst comment

35.211.30.253

US

AS19527 Google LLC

10264

Mobile ad related:ev.adserve.video

103.235.47.74

HK

AS55967 Beijing Baidu Netcom Science and Technology Co., Ltd.

9827

Duapps.com - multiple apps

209.58.147.67

US

AS394380 Leaseweb USA, Inc.

7863

Mobile ad related

209.197.3.84

US

AS20446 Highwinds Network Group, Inc.

7789

Porn - Xvideo content delivery

35.211.120.82

US

AS19527 Google LLC

7343

Mobile ad related:ev.adserve.video

205.185.216.10

US

AS20446 Highwinds Network Group, Inc.

7067

Content delivery - NFI

205.185.216.42

US

AS20446 Highwinds Network Group, Inc.

6967

Content delivery - NFI

198.11.132.83

US

AS45102 Alibaba (China) Technology Co., Ltd.

6544

Alibaba DNS

69.16.175.10

US

AS20446 Highwinds Network Group, Inc.

6267

mobile ad related;vd.predictionai.com

69.16.175.42

US

AS20446 Highwinds Network Group, Inc.

6039

mobile ad related;vd.predictionai.com

205.147.93.131

US

AS393676 Zenedge Inc

6015

Adware related - possible browser Hijacker/redirect malware

205.185.208.142

US

AS20446 Highwinds Network Group, Inc.

5697

Content delivery - NFI

205.185.208.78

US

AS20446 Highwinds Network Group, Inc.

5358

Content delivery - NFI

104.193.88.125

US

AS55967 Beijing Baidu Netcom Science and Technology Co., Ltd.

5219

Duapps.com - multiple apps

35.227.210.77

US

AS15169 Google LLC

5149

Snapchat content delivery

198.11.132.178

US

AS45102 Alibaba (China) Technology Co., Ltd.

5146

Alibaba DNS

49.51.42.110

CN

AS132203 Tencent Building, Kejizhongyi Avenue

4932

PUBG:lobby.igamecj.com

205.147.93.132

US

AS393676 Zenedge Inc

4572

Adware related - possible browser Hijacker/redirect malware

205.204.101.196

US

AS45102 Alibaba (China) Technology Co., Ltd.

4203

taobao.com- Chinese Ecommerce

 

 

 

 

[1] https://www.polygon.com/2018/6/19/17478476/playerunknowns-battlegrounds-sales-pubg-number-of-players

[2] https://www.bloomberg.com/news/articles/2017-10-30/world-s-hottest-pc-game-could-be-banned-in-china-due-to-violence

[3] https://en.wikipedia.org/wiki/PlayerUnknown%27s_Battlegrounds

[4] https://filecdn.igamecj.com/fclient/download.html

E-mail me when people leave their comments –

Jeff Stutzman

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance