Researchers from Microsoft’s Malware Protection Center have analyzed three pieces of malware that appear to be utilized to target gamers from Korea, particularly users who play card games.Experts believe that the malware authors are utilizing their creations to steal various pieces of information from their victims, but some of the techniques might also be utilized to cheat.
Trojan:Win32/Urelas.C, a malware developed in Delphi, takes screenshots of the victim’s gaming activity. These screenshots are sent to a remote server in various image formats, including JPEG, TIFF and BMP.
Besides making screenshots – which could be utilized by the cybercriminals to observe the gaming behavior of the victims or to cheat –, Urelas.C also collects valuable information from the infected computers.
Trojan:Win32/Gupboot.A is the second piece of malware that’s currently targeting Korean players. This one’s more sophisticated since it contains a bootkit component and code from Urelas to overwrite the master boot records (MBR).
“Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state. Like most malware that overwrites the MBR, the main intent is to use the malware’s 16-bit loader to execute the payload,” Marianne Mallen of MMPC explains.
The last malware, Backdoor:Win32/Blohi.B, is distributed as installers for games such as StarCraft and Plants vs. Zombies. Developed in Visual Basic, Blohi is capable of making screenshots, logging keystrokes, monitor certain processes and it gives its master backdoor access to the infected device.
Interestingly, it can display a fake blue screen – most likely to force the victim to restart the computer in order to enable the malware to install other malicious elements.
Despite the fact that traces of these threats have been spotted in other countries as well, including the United States, over 90% of the infections have been detected in Korea.