How Trojans steal gaming accounts

A particular type of malware seeks user credentials, including accounts for gaming services such as Origin, Battle.net, and Uplay.

How Trojans steal accounts in Origin, Battle.net, Uplay, and other gaming services — and how to protect yourself

We often talk about the online threats gamers face, including malware in pirated copies, mods, and cheats, not to mention phishing and all kinds of scams when buying or exchanging in-game items. And not long ago, we looked at problems with buying accounts. Fortunately, it’s easy to avoid those threats if you know about them.

But here’s another problem you need to know about and defend against: password stealers. When our security solutions catch them, they’re usually designated Trojan-PSW.(something). They are Trojans designed to steal accounts — either username/password combinations or session tokens.

You may have read about Steam stealers — Trojans that steal accounts in the world’s most popular gaming service. But there are many other platforms out there, such as Battle.net, Origin, Uplay, and the Epic Games Store. They all have multimillion-dollar audiences, so naturally, attackers are interested, and stealers exist for them, too.

What are password stealers?

Password stealers are a type of malware that steals account information. In essence, it is similar to a banking Trojan, but instead of intercepting or substituting entered data, it usually steals information already stored on the computer: usernames and passwords saved in the browser, cookies, and other files that happen to be on the hard drive of the infected device. Moreover, sometimes game accounts are just one of the targets of stealers — some are no less interested in your online banking credentials.

Stealers can grab accounts in many ways. For example, take Trojan stealer Kpot (aka Trojan-PSW.Win32.Kpot). It is distributed mainly through e-mail spam with attachments that use vulnerabilities (for example, in Microsoft Office) to download the actual malware onto the computer.

Next, the stealer transfers information about programs installed on the computer to the command-and-control server and waits for commands to proceed. Among the possible commands are ones to steal cookies, Telegram and Skype accounts, and much more.

What’s more, it can steal files with the .config extension from the %APPDATA%\Battle.net folder, which, as you might guess, is linked to Battle.net, Blizzard’s own game-launcher app. Among other things, these files contain the player’s session token — that is, the cybercriminals don’t get the actual username and password, but they can use the token to pretend to be the user.

Why do that? Simple: They can quickly sell off all the victim’s in-game items, sometimes making good money. This is a feasible scenario in various Blizzard titles, including World of Warcraft and Diablo 3.

Other malware, which targets Uplay, Ubisoft’s game launcher app, goes by the name Okasidis, and our solutions call it Trojan-Banker.MSIL.Evital.gen. With respect to gaming accounts, it behaves exactly like the Kpot Trojan except that it steals two specific files: %LOCALAPPDATA%\Ubisoft Game Launcher\users.dat and %LOCALAPPDATA%\Ubisoft Game Launcher\settings.yml.

Uplay is also of interest to a piece of malware named Thief Stealer (detected as HEUR:Trojan.Win32.Generic), which scoops up all files from the %LOCALAPPDATA%\Ubisoft Game Launcher\ folder.

In addition, Uplay, Origin, and Battle.net are all targets for the BetaBot malware (detected as Trojan.Win32.Neurevt). But this Trojan has a different mode of operation. If the user visits a URL containing certain keywords (any addresses with the words “uplay” or “origin,” for example), the malware enables data collection from forms on these pages. That is, account usernames and passwords entered on the pages go straight to the attackers.

In all three cases, the user is unlikely to notice anything — the Trojan doesn’t reveal itself in any way on the computer, doesn’t display any windows with requests, but simply steals files and/or data on the sly.

How to guard against Trojans hungry for gaming accounts

In principle, gaming accounts need to be protected in much the same way as everything else, including against stealers. Follow the advice below to foil Trojan thieves:

  • Protect your account with two-factor authentication. Steam has Steam Guard, Battle.net has Blizzard Authenticator, and the Epic Games Store offers a choice between an authenticator app and authentication by text or e-mail. If your account is protected by two-factor authentication, then cybercriminals will need more than a username and a password to get inside it.
  • Do not download mods from suspicious sites, or pirated software. Attackers are well aware of people’s craving for all things free, and they exploit it through malware hidden in cracks, cheats, and mods.
  • Use a reliable security solution. For example, Kaspersky Security Cloud catches all these stealers and stops them from pinching anything.
  • Do not turn off your antivirus when playing. If you do, a password stealer may suddenly spring into action. Kaspersky Security Cloud‘s gaming mode prevents the antivirus from consuming too many system resources during a game. It has no impact on performance or frame rate but still takes care of security.
Tips