Researchers from Kaspersky have spotted a new malware dubbed BloodyStealer that is being used by threat actors to steal accounts for multiple gaming platforms, including Steam, Epic Games Store, GOG Galaxy, EA Origin, and more.
The infostealer is available for sale on dark web forums, the researchers explained that the malware allows operators to harvest a broad range of information, including cookies, passwords, bank cards, and sessions from various applications.
Stolen data are later sold by the operators in underground marketplaces, gaming accounts are in demand in the cybercrime ecosystem.
Gaming login credentials to popular platforms such as Steam, Origin, Ubisoft or EpicGames can be bought for 14.2 USD per thousand accounts when sold in bulk, and for 1-30% of an account’s value when sold individually.
BloodyStealer is offered through a malware-as-service model, it it offered for less than 10 USD for a 1-month subscription or 40 USD for a lifetime subscription.
“Kaspersky researchers first spotted it in March, where it was advertised as being capable of evading detection and protected against reverse engineering and malware analysis in general. It is sold on underground forums at an attractive price – less than 10 USD for a 1-month subscription or 40 USD for a lifetime subscription.” reads the analysis published by Kaspersky. “While BloodyStealer is not made exclusively for stealing game-related information, the platforms it can target clearly point to the demand of this type of data among cybercriminals. “
The researchers explained that the malware implements several anti-analysis methods, including the use of packers and anti-debugging techniques.
Below is the list of capabilities advertised by the developer of the malware:
The ad highlights the following features of BloodyStealer (translated from Russian as is):
According to Kaspersky, various threat actors rented the malware and used it as a part of other malware attack chain. The researchers observed attackers using the malware in attacks aimed at delivering KeyBase or Agent Tesla, in some cases crooks combined the stealer component with other malware families and protected it with other packers, such as Themida.
Once exfiltrated the data, BloodyStealer will send them to a C&C server, then cybercriminals can access the stolen info by using Telegram or via a web panel.
BloodyStealer is being used in attacks targeting victims from Europe, Latin America, and the Asia-Pacific region.
“BloodyStealer is a prime example of an advanced tool used by cybercriminals to penetrate the gaming market. With its efficient anti-detection techniques and attractive pricing, it is sure to be seen in combination with other malware families soon,” Kaspersky concludes. “Furthermore, with its interesting capabilities, such as extraction of browser passwords, cookies, and environment information as well as grabbing information related to online gaming platforms, BloodyStealer provides value in terms of data that can be stolen from gamers and later sold on the darknet.”
(SecurityAffairs – hacking, malware)