Game Thief Credential Stealing Malware Traffic Sample PCAP File Download
The stolen account information is used to allow a remote hacker access to the player’s account. The hacker can then steal the player’s virtual assets by transferring them to another player account. Such assets are often sold or auctioned off for real-world currency. With millions of players, such trojans can easily affect thousands of users.
Usually OnlineGames trojans are spammed in e-mails with deceptive and enticing subjects and attachment names. However, such trojans can also be downloaded by other malicious programs, for example by worms, backdoors, and trojan downloaders.
After the trojan’s file is started by a user, it installs itself to the system by copying its file to Windows folder.
It also creates a startup key value in the Registry for the copied file. This is done to make sure that the trojan’s file is started every time Windows boots. The startup key value is created under the following Registry key:
After installation the trojan locates the Explorer.exe process, drops a DLL from its body onto a hard drive and injects the dropped DLL into the Windows Explorer process. Note that unlike the main trojan’s file, the DLL is dropped into the Windows System folder. The dropped DLL is the main spying component.