According to a recent report by Marianne Mallen of the Microsoft Malware Protection Center (MMPC), Microsoft researchers recently came across three new Trojans that specifically target Korean gamers.
"According to the ... MMPC, whoever is responsible for these pieces of malware is attempting to pilfer user login credentials, credit card information that is used to pay for in-game money and assorted upgrades, Korean ID numbers (a sort of Korean-variety Social Security number often required for online registration and verification), and screenshots, presumably taken to provide the authors with an unfair advantage should they play against infected users online," writes Threatpost's Brian Dohohue.
One of the Trojans, Trojan:Win32/Urelas.C, is designed to take screenshots of the victim's gaming activity, then upload them to a remote service in JPG, TIFF or BMP format. It also gathers and uploads other information, including the computer name and user login information.
The second Trojan, Trojan:Win32/Gupboot.A, adds a bootkit component and overwrites the master boot record (MBR). "Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state," Mallen writes.
The third Trojan, Backdoor:Win32/Blohi.B, arrives disguised as a popular game such as Plants vs. Zombies or StarCraft. Once installed, it pings a search engine to confirm the presence of an Internet connection, then logs keystrokes, monitors gaming processes, and takes and uploads screenshots. "It can also display a fake blue screen ... possibly to force the user into rebooting their computer so that the Blohi malware can install other malware," Mallen writes.
"MMPC strongly recommends users be cautious with files downloaded from the internet," Mallen writes. "Always verify that it comes from a reputable source before executing the binary. In the case of Blohi and other malware posing as installers, instead of playing a full version of the game, you might end up getting played by malware authors."