Experts at Trend Micro have spotted a new malicious campaign based on the popular PlugX RAT, the threat actor behind the attack has bundled the malware with League of Legends (LoL) and Path of Exile (PoE) game files.
The practice to bundle PlugX variants with legitimate apps is very common, and the choice of trojanize games allow an attacker to infect a large audience.
Both games are distributed in Asia by Singapore-based company Garena that commercializes popular games from principal firms, including Electronic Arts, Riot Games, and S2 Games.
Trend Micro confirmed that only the Taiwanese versions of the League of Legends and Path of Exile installers were compromised. The majority of victims is located in Taiwan (82%), but other infections were discovered in Malaysia, Hong Kong, Singapore and Thailand.
The breach was first reported by the Hacks in Taiwan (HITCON) security conference, Garena issued an official statement to inform its customers that game files for League of Legends and Path of Exile had been compromised.
At this time, there is no news regarding a potential data breach that could have exposed payment data and user’s personal information, anyway the company is urging the customers to change their passwords and enable two-step authentication on their accounts.
Trend Micro noticed that bad actor stopped their campaign just after Garena issued the warning in late December.
Once executed, the compromised game launchers provided by Garena dropped a legitimate launcher, the function of which is to overwrite the bogus launcher with a genuine one and serve a dropper used to deploy the PlugX binaries (BKDR_PLUGX.ZTBL-EC). The malware replaces the compromised launcher with a legitimate one to hide evidence of the infection.
“The cleaner file could be seen as one way of covering up any traces of malicious activity. In the end, the victim will only see two malicious files, NtUserEx.dll and NtUserEx.dat (both detected as BKDR_PLUGX.ZTBL-EC).”Trend Micro reported in a blog post.”One marked difference is that this PlugX variant created its own autostart service rather than relying on the legitimate app’s.”
The experts discovered the string “Cooper” in the body of this variant of PlugX RAT, so they speculated that the malware was spread by the threat actor behind a separate APT campaign dubbed “Lee Cooper” due to the name used as the registrant of the C&C server.
“While checking the certificate, we noticed that the hash value applied to the suspect file was VALID, which means that the ‘signing tool’ was used to pair with the compromised binary’s hash. The clean game launcher, on the other hand, has an invalid digital signature,” wrote Benson Sy, Threats Analyst at Trend Micro.
Garena has sanitized all the game files in his catalog, Trend Micro has developed a removal tool for this strain of PlugX.