The Dell SonicWALL Threats Research team has received a sample of a
backdoor Trojan posing as a game hack. Cheats for games often contain
malware and that might not come as a surprise to many. But as a game
becomes more popular, cybercriminals take advantage of eager gamers with
a promise to help unlock abilities or perhaps accumulate enough credits
to buy something to progress in a game and these shortcuts make them
more appealing. The sample we received is posing as a cheat to a top
ranking free sports game. In fact, searching for 8 Ball Pool game online
yields keywords suggestions such as "hack" and "cheats."
Infection Cycle
The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory:
Figure 1: DNS query to hackernople.no-ip.biz
It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:
Figure 2: Trojan sending personal information to a remote C&C server
We have also noticed the Trojan sending desktop screenshots to a remote server:
Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server
This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.
Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe
It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.
Figure 5: Packets showing the infected machine receiving an executable
Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services
and stealing information and therefore poses a big threat depending on
the sensitivity of data stolen from the victim. It makes it even more
pervasive as it banks on the popularity of the game it pretends to be
and with its capability to download and install more components, victims
will likely end up with multiple malware infections in their computer
systems.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)
|
|
- %TEMP%\chrome.exe
- HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
- HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
Figure 1: DNS query to hackernople.no-ip.biz
It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:
Figure 2: Trojan sending personal information to a remote C&C server
We have also noticed the Trojan sending desktop screenshots to a remote server:
Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server
This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.
Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe
It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.
Figure 5: Packets showing the infected machine receiving an executable
Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services
and stealing information and therefore poses a big threat depending on
the sensitivity of data stolen from the victim. It makes it even more
pervasive as it banks on the popularity of the game it pretends to be
and with its capability to download and install more components, victims
will likely end up with multiple malware infections in their computer
systems.Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Barys.RAT (Trojan)
Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)
Comments
Post a Comment