{"id":13487,"date":"2018-10-02T07:10:17","date_gmt":"2018-10-02T15:10:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/10\/02\/news-7254\/"},"modified":"2018-10-02T07:10:17","modified_gmt":"2018-10-02T15:10:17","slug":"news-7254","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/02\/news-7254\/","title":{"rendered":"Fortnite gamers targeted by data theft malware"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 02 Oct 2018 14:00:00 +0000<\/strong><\/p>\n

The new season of the incredibly popular video game Fortnite is upon us<\/a>, and so too are the scams. It\u2019s no surprise that con artists would jump on this bandwagon, eager to peddle their fakeouts.<\/p>\n

Only this time, scammers had something a little more dangerous in mind than your typical low-level surveys and downloads that never actually materialize. Among all the gluttony of scams there hid a malicious file ready to steal data and Bitcoin, for starters.<\/p>\n

How did we find it? First, we sifted through a sizable mish-mash of free season six passes, supposedly \u201cfree\u201d Android versions of Fortnite, which were leaked out from under the developer\u2019s noses, the ever-popular blast of \u201cfree V-Bucks\u201d used to purchase additional content in the game, and a lot of bogus cheats, wallhacks, and aimbots.<\/p>\n

Here\u2019s the current state of YouTube, for example:<\/p>\n

\"fortnite<\/a><\/p>\n

Click to enlarge<\/p>\n

These videos can drive huge numbers: Here\u2019s one that\u2019s been pulled down, but managed to rack up 120,000 views before the hammer fell:<\/p>\n

\"120k<\/a><\/p>\n

Click to enlarge<\/p>\n

Almost all of the scam tomfoolery followed the typical survey route, as expected. But buried in all of this was a nasty little slice of data theft malware disguised as a cheat tool.<\/p>\n

Offering up a malicious file under the pretense of a cheat is as old school as it gets, but that\u2019s never stopped cybercriminals before. In this scenario, would-be cheaters suffer a taste of their own medicine via a daisy chain of clickthroughs and (eventually) some malware as a parting gift. Shall we take a look?<\/p>\n

Setting the scene<\/h3>\n

The YouTube account offering this scam up has a little over 700 subscribers, and the video in question already had more than 2,200 views the day after being uploaded.<\/p>\n

\"fortnite<\/a><\/p>\n

Click to enlarge<\/p>\n

Clicking the link sends potential victims to a page on Sub2Unlock. This site differs from typical survey pages, where you’d normally click offers or fill in questions to obtain a theoretical reward. Instead, it asks you to hit subscribe on the social portal of the person sending you there in the first place. So there’s one difference, right off the bat.<\/p>\n

\"sub<\/a><\/p>\n

Click to enlarge<\/p>\n

Another interesting difference is that any initial survey page requires you to physically complete a survey before progressing. Without doing this, you can’t gain access to a download link.<\/p>\n

Here, we had no validation taking place during our testing. Clicking the subscribe button simply opened up the YouTube channel\u2019s subscribe page but nothing checked to ensure we\u2019d actually subscribed. All we had to do at this point was go back to the Sub2Unlock site and click the download button.<\/p>\n

From here, gamers are whisked away to a site located at<\/p>\n

bt-fortnite-cheats(dot)tk<\/p>\n

\"fortnite<\/a><\/p>\n

Click to enlarge<\/p>\n

This site is a fairly good-looking portal claiming to offer up the desired cheat tools, and it stands a fair chance of convincing youngsters of its legitimacy. A little bit more button clicking, and potential victims are taken to a more general download site containing what appears to be an awful lot of files alongside a wide range of adverts.<\/p>\n

\"fortnite<\/a><\/p>\n

Click to enlarge<\/p>\n

As far as the malicious file in question goes, at time of writing, 1,207 downloads had taken place. That’s 1,207 downloads too many.<\/p>\n

File information<\/h3>\n

Malwarebytes detects this file as Trojan.Malpack<\/a>, a generic detection given to files packed suspiciously. The actual payload could be anything at all, but it will invariably be up to no good. In this case, a little digging showed us the payload is a data stealer.<\/p>\n

Once the initial .EXE (which weighs in at just 168KB) runs on the target system, it performs some basic enumeration on details specific to the infected computer. It then attempts to send data via a POST command to an \/index.php file in the Russian Federation, courtesy of the IP address 5(dot)101(dot)78(dot)169.<\/p>\n

Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets, and also Steam sessions.<\/p>\n

\"a<\/a><\/p>\n

Click to enlarge<\/p>\n

Bizarrely, it also wrote this to our test system:<\/p>\n

\"radio<\/a><\/p>\n

Click to enlarge<\/p>\n

\u2026Grateful Dead, anyone?<\/p>\n

The IP address up above has been seen many times in relation to similarly named\/themed files.<\/p>\n

Lots of the files contained in this download are packed in entirely different ways. One of them has a process called \u201cStealer.exe.\u201d Many more post the stolen information to \/gate.php instead of index.php, which is a common sign of Zbot and a few others.<\/p>\n

While this particular file probably isn\u2019t that new, it\u2019s still going to do a fair bit of damage to anyone that runs in. Combining it with the current fever for new Fortnite content is a recipe for stolen data and a lot of cleanup required afterward.<\/p>\n

As a final note, we should mention the readme file accompanying the stealer advertises being able to purchase additional Fortnite cheats for \u201c$80 Bitcoin.\u201d<\/p>\n

\"read<\/a><\/p>\n

Click to enlarge<\/p>\n

Given how things up above panned out, we\u2019d advise anyone tempted to cheat to steer well clear of this one. Winning is great, but it\u2019s absolutely not worth risking a huge slice of personal information to get the job done.<\/p>\n

The post Fortnite gamers targeted by data theft malware<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 02 Oct 2018 14:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
If you’ve ever been tempted to cheat at Fortnite, think again\u2014with the release of season six of the popular video game, we found a data theft malware masquerading as a cheat tool, ready to steal your browser sessions, cookies, and even your Bitcoin. <\/p>\n

Categories: <\/p>\n