{"id":35895,"date":"2020-06-16T06:17:41","date_gmt":"2020-06-16T10:17:41","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=35895"},"modified":"2021-05-31T07:54:11","modified_gmt":"2021-05-31T11:54:11","slug":"gaming-password-stealers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/gaming-password-stealers\/35895\/","title":{"rendered":"How Trojans steal gaming accounts"},"content":{"rendered":"

We often talk about the online threats gamers face, including malware in pirated copies, mods, and cheats, not to mention phishing and all kinds of scams<\/a> when buying or exchanging in-game items. And not long ago, we looked at problems with buying accounts<\/a>. Fortunately, it\u2019s easy to avoid those threats if you know about them.<\/p>\n

But here\u2019s another problem you need to know about and defend against: password stealers. When our security solutions catch them, they\u2019re usually designated Trojan-PSW.(something). They are Trojans designed to steal accounts\u00a0\u2014 either username\/password combinations or session tokens.<\/p>\n

You may have read about Steam stealers<\/a>\u00a0\u2014 Trojans that steal accounts in the world\u2019s most popular gaming service. But there are many other platforms out there, such as Battle.net, Origin, Uplay, and the Epic Games Store. They all have multimillion-dollar audiences, so naturally, attackers are interested, and stealers exist for them, too.<\/p>\n\n

What are password stealers?<\/h2>\n

Password stealers are a type of malware that steals account information. In essence, it is similar to a banking Trojan, but instead of intercepting or substituting entered data, it usually steals information already stored on the computer: usernames and passwords saved in the browser<\/a>, cookies, and other files that happen to be on the hard drive of the infected device. Moreover, sometimes game accounts are just one of the targets of stealers\u00a0\u2014 some are no less interested in your online banking credentials.<\/p>\n

Stealers can grab accounts in many ways. For example, take Trojan stealer Kpot (aka Trojan-PSW.Win32.Kpot). It is distributed mainly through e-mail spam with attachments that use vulnerabilities (for example, in Microsoft Office) to download the actual malware onto the computer.<\/p>\n

Next, the stealer transfers information about programs installed on the computer to the command-and-control server and waits for commands to proceed. Among the possible commands are ones to steal cookies, Telegram and Skype accounts, and much more.<\/p>\n

What\u2019s more, it can steal files with the .config extension from the %APPDATA%\\Battle.net folder, which, as you might guess, is linked to Battle.net, Blizzard\u2019s own game-launcher app. Among other things, these files contain the player\u2019s session token\u00a0\u2014 that is, the cybercriminals don\u2019t get the actual username and password, but they can use the token to pretend to be the user.<\/p>\n

Why do that? Simple: They can quickly sell off all the victim\u2019s in-game items, sometimes making good money. This is a feasible scenario in various Blizzard titles, including World of Warcraft<\/em> and Diablo 3<\/em>.<\/p>\n

Other malware, which targets Uplay, Ubisoft\u2019s game launcher app, goes by the name Okasidis, and our solutions call it Trojan-Banker.MSIL.Evital.gen. With respect to gaming accounts, it behaves exactly like the Kpot Trojan except that it steals two specific files: %LOCALAPPDATA%\\Ubisoft Game Launcher\\users.dat and %LOCALAPPDATA%\\Ubisoft Game Launcher\\settings.yml.<\/p>\n

Uplay is also of interest to a piece of malware named Thief Stealer (detected as HEUR:Trojan.Win32.Generic), which scoops up all files from the %LOCALAPPDATA%\\Ubisoft Game Launcher\\ folder.<\/p>\n

In addition, Uplay, Origin, and Battle.net are all targets for the BetaBot malware (detected as Trojan.Win32.Neurevt). But this Trojan has a different mode of operation. If the user visits a URL containing certain keywords (any addresses with the words \u201cuplay\u201d or \u201corigin,\u201d for example), the malware enables data collection from forms on these pages. That is, account usernames and passwords entered on the pages go straight to the attackers.<\/p>\n

In all three cases, the user is unlikely to notice anything\u00a0\u2014 the Trojan doesn\u2019t reveal itself in any way on the computer, doesn\u2019t display any windows with requests, but simply steals files and\/or data on the sly.<\/p>\n

How to guard against Trojans hungry for gaming accounts<\/h2>\n

In principle, gaming accounts need to be protected in much the same way as everything else, including against stealers. Follow the advice below to foil Trojan thieves:<\/p>\n