Trojan distributed as 8 Ball Pool game hack
The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as "hack" and "cheats."
The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory:
In order to start after reboot the Trojan adds the following keys to the registry:
- HKLMsoftwaremicrosoftwindowscurrentversionrun[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%chrome.exe"
To bypass the windows firewall it adds the following to the registry:
- HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist [%TEMP%chrome.exe]
It then makes the following DNS query:
Figure 1: DNS query to hackernople.no-ip.biz
It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:
Figure 2: Trojan sending personal information to a remote C&C server
We have also noticed the Trojan sending desktop screenshots to a remote server:
Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server
This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.
Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe
It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.
Figure 5: Packets showing the infected machine receiving an executable
Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Barys.RAT (Trojan)