Kaspersky researchers discover BloodyStealer - a new malware targeted at stealing game launcher login details

[WhitetailAni]

Summary

Researchers for Kaspersky Antivirus have recently discovered BloodyStealer, a new malware designed to steal game launcher login details such as Steam, GOG, Epic Games, and others. So far it has been deployed in Europe, Latin America, and the Asia-Pacific region according to the researchers, and is using a MaaS, or Malware-as-a-Service business model, with a $10/month subscription fee or $40 for a lifetime license.

 

Quotes

Quote

On Monday, Kaspersky researchers detailed a new "advanced" trojan called "BloodyStealer" that targets users' gaming accounts. The trojan can scrape data from PCs, including passwords, cookies, bank card details, screenshots, and more. It can also steal client sessions from Bethesda, Epic Games, GOG, EA Origin, Steam, Telegram, and VimeWorld.

Quote

Cybersecurity firm Kaspersky, which coined the malware "BloodyStealer," said it first detected the malicious tool in March 2021 as being advertised for sale at an attractive price of 700 RUB (less than $10) for one month or $40 for a lifetime subscription. Attacks using Bloody Stealer have been uncovered so far in Europe, Latin America, and the Asia-Pacific region.

Quote

Having games and in-game items sold off is not the only problem that awaits the owner of a stolen account. Cybercriminals or buyers (it makes little difference to the victim) can use the account to launder money, distribute phishing links, and do other illegal things. To avoid falling prey to cybercriminals, make sure your accounts and devices are secure.

• Protect your accounts with strong passwords, enable two-factor authentication, and generally max out the platform’s security settings (see our guides for Steam, Battle.net, Origin, Twitch, and Discord users).
• Download apps only from official sources to minimize the chances of picking up BloodyStealer or other malware.
• Be wary of links in e-mails and messages from strangers.
• Before entering your credentials on any website, make sure it’s genuine.
• Use a reliable security solution. For example, Kaspersky Security Cloud blocks BloodyStealer and doesn’t interfere with gameplay.

My thoughts

I'm curious how this malware is spread and how it attacks. Does it need to be installed, or just on your device and then it works from there? I don't pay too much attention to this part of tech but this intrigues me.

Kaspersky has a few tips on how to avoid this, though I'm not sure how effective they are. I'm not the security researcher though.

Good luck out there!

 

Sources

https://www.kaspersky.com/blog/bloodystealer-and-gaming-accounts-in-darknet/42157/

https://www.techspot.com/news/91463-bloodysteal-advanced-trojan-steals-accounts-most-major-gaming.html

https://thehackernews.com/2021/09/new-bloodystealer-trojan-steals-gamers.html

[Vishera]

That malware is scary,

But the question is how it spreads?

If you have to download and execute it in order for it to work then it's like any other common viruses out there,

And common sense will suffice.

[IPD]

And things like this are the reason why I have (and will continue to) use Kaspersky for my internet security.  They are on the bleeding edge of detecting and identifying threats.  (They were the first to ID Conficker, iirc).

 

Their criticisms are justified.  And I probably wouldn't trust them with sensitive equipment either.  But for home use (for someone who wouldn't really ever be the target of spear phishing)--they are the bee's knees.

[Cyberspirit]

If it's just the login details then this doesn't seem like a big threat for those who have 2FA but those who dont, this could be an issue.

 

Apparently this is way more serious, which is bad news. Thanks for the explanation @Kisai.

 

Quote

This would bypass 2FA. These aren't simply stealing the passwords, they're stealing the session cookies that exist after the user has logged in.

 

Edited September 30, 2021 by Cyberspirit

[CommanderAlex]

From Kaspersky's article on how to avoid, 

Quote

How to avoid falling victim to BloodyStealer and other thieves

Having games and in-game items sold off is not the only problem that awaits the owner of a stolen account. Cybercriminals or buyers (it makes little difference to the victim) can use the account to launder money, distribute phishing links, and do other illegal things. To avoid falling prey to cybercriminals, make sure your accounts and devices are secure.

 

• Protect your accounts with strong passwords, enable two-factor authentication, and generally max out the platform’s security settings (see our guides for Steam, Battle.net, Origin, Twitch, and Discord users).
• Download apps only from official sources to minimize the chances of picking up BloodyStealer or other malware.
• Be wary of links in e-mails and messages from strangers.
• Before entering your credentials on any website, make sure it’s genuine.
• Use a reliable security solution. For example, Kaspersky Security Cloud blocks BloodyStealer and doesn’t interfere with gameplay.

So, as always, use some common sense!

[BuckGup]

Makes sense, you can laundering millions with a couple steam accounts with CSGO skins

[DrMacintosh]

I've got my World of Warships account setup with 2FA. Protect those that you love. 

[RoseLuck462]

One good thing about Blizzard is that they’ve had authenticators for more than a decade. I wish League of Legends had that.

[Kisai]

7 hours ago, Cyberspirit said:

If it's just the login details then this doesn't seem like a big threat for those who have 2FA but those who dont, this could be an issue.

This would bypass 2FA. These aren't simply stealing the passwords, they're stealing the session cookies that exist after the user has logged in.

 

Steam actually checks when you change browsers, but not ISP's. But most game launchers don't check anything at all.

 

To tell you a short story, one MMORPG I played, their launcher was rather broken (it kept connecting to CDN's that were missing the patch files) for what had to be a few months, and the way around it? the first time you used it successfully, you grabbed the authenticated session cookie from the executable process. If you keep running that commandline exactly the same way every time, it will work until there is a client version mismatch. Remember the launcher only does two things in nearly all games, verifying the file integrity, and downloading/patching. Modders use this strategy for basically preventing the launcher from removing their unauthorized mods.

 

Unless the server is whitelisting IP addresses at an account level, the "token passed via command line" will always work, and thus stealing it will always work this way as well. Quite frankly I'm surprised it took 15 years for malware to do it, and I'm sure there were other malwares doing it before, just not such a credential goblin such as this.

[Cyberspirit]

17 hours ago, Kisai said:

This would bypass 2FA. These aren't simply stealing the passwords, they're stealing the session cookies that exist after the user has logged in.

 

Steam actually checks when you change browsers, but not ISP's. But most game launchers don't check anything at all.

 

To tell you a short story, one MMORPG I played, their launcher was rather broken (it kept connecting to CDN's that were missing the patch files) for what had to be a few months, and the way around it? the first time you used it successfully, you grabbed the authenticated session cookie from the executable process. If you keep running that commandline exactly the same way every time, it will work until there is a client version mismatch. Remember the launcher only does two things in nearly all games, verifying the file integrity, and downloading/patching. Modders use this strategy for basically preventing the launcher from removing their unauthorized mods.

 

Unless the server is whitelisting IP addresses at an account level, the "token passed via command line" will always work, and thus stealing it will always work this way as well. Quite frankly I'm surprised it took 15 years for malware to do it, and I'm sure there were other malwares doing it before, just not such a credential goblin such as this.

Oh, that is a much bigger issue then. Thanks for the explanation!