14 DAY TRIAL // Gamers in some countries in Asia have been targeted by cybercriminals who planted a remote access Trojan (RAT) in the official releases of online games League of Legends (LoL) and Path of Exile (PoE).
A malware known as PlugX has been observed to be delivered when users would try to install either of the two games, or to update them.
The threat is designed to steal information from the compromised computer and upload it to a remote server. Another capability of PlugX is to download other malicious files.
Tracking the infection was difficult
According to security researchers at Trend Micro, the tainted official game releases were traced to Asian Internet platform provider Garena.
Garena confirmed that all the installation files for LoL and PoE were infected, as their machines, including patch servers, had been compromised by unknown intruders and malware had been infiltrated.
The provider also informed that, as soon as they learned about the situation, verification of the hardware was initiated and their systems have been cleaned.
Trend Micro says that a malicious game launcher reaching the computer of a user would actually drop three files, one being the legitimate game installer, another a malicious file adding PlugX to the system, while a third one was in charge of removing the traces of compromise by overwriting the infected launcher with the legitimate variant.
By relying on this method, the cybercriminals would hinder tracking the infection to Garena, since a local computer scan would show a clean game launcher.
Users in Taiwan are the most affected
Security researchers made one interesting note as a result of their analysis. “While checking the certificate, we noticed that the hash value applied to the suspect file was VALID, which means that the ‘signing tool’ was used to pair with the compromised binary’s hash. The clean game launcher, on the other hand, has an invalid digital signature,” wrote in a blog post Benson Sy, threat analyst with Trend Micro.
According to telemetry data from the antivirus vendor, the most affected country is Taiwan, accounting for 82.59% of the infections. Users in Singapore, Thailand, Malaysia and Hong Kong were also impacted, but to a much lesser degree, under 6.20%.
At the moment, users suspecting infection with PlugX can use a cleaning tool developed by Trend Micro specifically to address this specific malware.
