New Malware 'BloodyStealer' Targets Gaming AccountsResearchers Say Trojan Steals Data from Steam, Epic Games Stores, EA Origin
Researchers at cybersecurity firm Kaspersky have discovered an advanced Trojan, dubbed BloodyStealer, stealing gamer accounts and data from platforms such as Steam, Epic Games Stores and EA Origin.
The malware can gather and exfiltrate data, such as cookies, passwords, forms, banking cards from browsers, screenshots, login memory, and sessions from various applications, the report says.
Kaspersky did not immediately respond to Information Security Media Group's request for information on the extent of damage, attack vector and the identity of the threat actor(s).
The malware was first spotted in March 2021, in an advertisement in a Russian-speaking underground forum, Kaspersky researchers say in a Securelist report.
Along with the capabilities mentioned in the Kaspersky report, the ad claims that BloodyStealer can also collect logs from memory and duplicate logging protection, and is not functional in the CIS.
The researchers, who translated the ad from Russian, say that it claims the malware has been used to steal sessions from:
- Gaming platforms Bethesda, Epic Games, Origin, Steam and VimeWorld;
- Digital distribution platform for video games and films GOG;
- Messaging platform Telegram;
It has also been used to steal files from the desktop (.txt) and the uTorrent client, they say.
BloodyStealer's features include extraction of browser passwords, cookies, and environment information, Dmitry Galov, one of the Kaspersky researchers, says.
"The developers behind this stealer also added capabilities, such as grabbing information related to online gaming platforms. This information can then be sold on different underground platforms or Telegram channels that are dedicated to selling access to online gaming accounts,” he says.
Threat actors advertise BloodyStealer - which is sold on underground forums at less than $10 for a one-month subscription or $40 for a lifetime subscription - as having detection-evading capabilities and being protected against reverse engineering and malware analysis in general, the researchers say.
A buyer could use Telegram channels as well as traditional web panels for communication with the command and control center, they add.
BloodyStealer uses several anti-analysis methods, including packers and anti-debugging techniques, to complicate the malware's reverse engineering and analysis, the researchers say. Customers of the malware, they say, could protect their sample with a packer or use it as part of a multistage infection chain.
A majority of the BloodyStealer samples, according to the researchers, were protected with a commercial solution named AgileNet and "also with other, very popular, protection tools for the .NET environment, such as Confuser," the researchers say.
BloodyStealer is capable of assigning a unique identifier to every infected victim, according to the researchers.
"The identifier is created by extracting data, such as the GUID and serial number (SID) of the system. This information is extracted at runtime. Besides this identification, BloodyStealer extracts the public IP address of the C&C by requesting the information from the domain whatleaks[.]com," the researchers say.
After assigning a UID to the victim and getting the C&C IP address, BloodyStealer extracts various data from the infected machine, creates a POST request with information about the exfiltrated data, and sends it to the malicious C&C, the researchers say.
"The data itself is sent to the configured C&C server later as a non-protected ZIP archive. The IP address configured in the infected system is used as the name of the ZIP archive," they add.
The C&C server, located at hxxp://gwrg23445b235245ner.mcdir[.]me/4/654/login.php, is placed behind Cloudflare, which hides its original IP and provides a layer of protection against DDoS and web attacks, the researchers say.
Kaspersky did not immediately respond to ISMG's request seeking mitigation advice for companies affected by the malware and advice on how potential target companies can detect its presence and protect their users. Steam, Epic Games Stores and EA Origin have not shared the mitigation and prevention measures they've implemented.
Kaspersky said it has detected attacks using BloodyStealer in Europe, Latin America, and the Asia-Pacific region. It did not identify the victims or the sectors they belonged to.
While BloodyStealer is not made exclusively for stealing game-related information, the platforms it can target clearly point to the demand for this type of data among cybercriminals, the Kaspersky report says.
Combinations of gaming logins and passwords to popular platforms such as Steam, Origin, Ubisoft or EpicGames can sell as cheaply as $14 per thousand accounts when sold in bulk, and for 1% to 30% of an account’s value when sold individually, according to Kaspersky.
"These stolen accounts do not come from accidental data leaks, but are the result of deliberate cybercriminal campaigns that employ malware such as BloodyStealer," the researchers say.
Logs - or credentials required to access an account - are one of the most popular wholesale products on darknet forums, according to Kaspersky, which analyzed 12 unidentified international darknet forums and marketplaces to come to that conclusion.
Dark web sellers also offer stolen accounts, expensive games and add-ons at significantly lower prices, as well as rare equipment with a "discount 30-40% off the original price."
The popularity of attacks on the gaming industry comes as no surprise. One of the highest growth climbers of 2020, gaming saw an increase in both credential stuffing attacks (up 224%) and web attacks (up 340%), compared to the previous year, according to software company Akamai. DDoS attacks against gamers were down by 20%, but they still made up nearly 50% of all DDoS attacks, it says.
Even as the mobile gaming industry recorded a revenue of $77.2 billion in 2020, Akamai says there has been an increase in phishing attacks against mobile gamers.