Trojan distributed as 8 Ball Pool game hack (Dec 18, 2015)

The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as “hack” and “cheats.”

Infection Cycle

The Trojan arrives as a file named “hack 8 ball pool.exe.” Upon execution, it copies itself to the following directory:

• %TEMP%chrome.exe

In order to start after reboot the Trojan adds the following keys to the registry:

• HKLMsoftwaremicrosoftwindowscurrentversionrun[8ce73491bf190a3fd7028c92bd3331b1] “%TEMP%chrome.exe”

To bypass the windows firewall it adds the following to the registry:

• HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist [%TEMP%chrome.exe]

It then makes the following DNS query:

Figure 1: DNS query to hackernople.no-ip.biz

It subsequently then starts to send information such as the current date, the victim’s computer name, user name, operating system and IP to a remote server:

Figure 2: Trojan sending personal information to a remote C&C server

We have also noticed the Trojan sending desktop screenshots to a remote server:

Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server

This Trojan is capable of deleting files from a victim’s machine. During our analysis, it deleted security tools such as processxp and tcpview.

Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe

It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called “WebBrowserPassView” on to the victim’s machine and installed it. This tool can be used to reveal passwords stored in the victim’s internet browsers.

Figure 5: Packets showing the infected machine receiving an executable

Figure 6: Receiving command to execute and install WebBrowserPassView

This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

• GAV: Barys.RAT (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.