Skip to main content

Trojan distributed as 8 Ball Pool game hack

By
The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as "hack" and "cheats."


Infection Cycle The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory:
  • %TEMP%\chrome.exe
In order to start after reboot the Trojan adds the following keys to the registry:
  • HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
To bypass the windows firewall it adds the following to the registry:
  • HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
It then makes the following DNS query:

Figure 1: DNS query to hackernople.no-ip.biz


It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:

Figure 2: Trojan sending personal information to a remote C&C server


We have also noticed the Trojan sending desktop screenshots to a remote server:

Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server


This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.

Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe


It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.

Figure 5: Packets showing the infected machine receiving an executable


Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
  • GAV: Barys.RAT (Trojan)


Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)

Labels:

Comments

Post a Comment

Popular posts from this blog

Fortigate guide for Begineer - 6

By
I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a
Post a Comment
Read more

Solving the "A general system error occured:Invalid fault" error in vSphere 4

By
Below error was come out when you try to migrate VM to other host for some reason. Below error was come out when you try to edit VM setting. Below error was come out when you power on the VM. How to solve those error? Here is how I resolve the error! Login to the Host that errored VM exist by using Terminal or Direct Console. Enter below command and press enter. services.sh restart Wait until all VMware Services are restarted. After that try to Power On/Edit Settings or Migrate the errored VM and you will see all you can do without any error pop-up. This kind of errors can occur if you shutdown/restart VM unproperly or shutdown/restart the Host unproperly that VM exist. You can check log file deeply if you willing to know precisely on this. May you all be happy. (Be knowledgeable, pass it on then)
1 comment
Read more

Link Aggregating with Synology NAS and Cisco Switch

By
I’d like to share how to setup Link Aggregating between Synology NAS and Cisco Switch. I’ve got one Synology NAS with 4 Network Ports and I’m going to use 2 of them. Both Network Port to be as one Logical Link, Fault Tolerance and Load Balancing. To do that, I need to configure Link Aggregating on Synology NAS and EtherChannel with LACP on Cisco Switch. Below is brief steps to do to meet with my requirements. - Get connected Synology NAS and Cisco Switch as shown in picture. - Bonding two Network Ports of Synology NAS and assign IP Address - Configure EtherChannel with LACP in Cisco Switch and add two physical ports as Member. OK. Let’s begin from Synology NAS. - Login to the Synology and go to Control Panel>Network>Create>Create Bond - Select IEEE 802.3ad to get Fault Tolerance and Load Balancing Featureyou’re your switch not support 802.3ad you can only select Fault Tolerance only feature). After that click “Next”. - Choose the network port f
35 comments
Read more