Three pieces of spyware are deploying as many methods to infect and monitor players of Korean card game applications in order to cheat, steal, and siphon off sensitive personal and financial data.
According to the Microsoft Malware Protection Center (MMPC), whoever is responsible for these pieces of malware is attempting to pilfer user login credentials, credit card information that is used to pay for in-game money and assorted upgrades, Korean ID numbers (a sort of Korean-variety Social Security number often required for online registration and verification), and screenshots, presumably taken to provide the authors with an unfair advantage should they play against infected users online.
Microsoft’s Marianne Mallen found that the spyware is designed to spy on the following gaming applications: LASPOKER.EXE, highlow2.exe, baduki.exe, duelpoker.exe, HOOLA3.exe, poker7.exe, and FRN.exe.
The first piece of malware, Trojan:Win32/Urelas.C, takes screenshots of the affected gaming application while it gathers user credentials and other basic computer identification information, which it then sends to a remote server.
A second piece, identified as Trojan:Win32/Gupboot.A, is doing essentially the same, but adds in a bootkit that overwrites the master boot record as well. This malware has a functionality that conceals itself from users by allowing kernel-mode hooking to hide suspicious processes.
The last piece analyzed by Mallen is a backdoor Trojan, Backdoor:Win32/Blohi.B, that weasels its way onto machines by mimicking legitimate gaming apps bundled with Nullsoft Scriptable Install System (NSIS) installers.
The program then calls up a popular search engine in Korea to test for an internet connection before it starts monitoring keystrokes, modifying the process list and taking screenshots. It can also install and uninstall programs, and display a fake blue screen that Mallen believes is a ploy, compelling users to restart their machines, and thus allow for the installation of more malware.
Between 96 and 99 percent of these samples are popping up in Korea, according to MMPC statistics.
