Malware: InfoStealer comes instead of game test
Criminals are currently trying to find victims for infostealers on Discord servers. An alleged beta test of games is being used as bait.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Cyber criminals are trying to foist infostealers on victims by asking them to take part in supposed beta tests of games. This campaign is currently running on Discord discussion servers in particular.
In a blog post, the virus analysts at Malwarebytes explain that the masterminds are sending potential victims direct messages on Discord. Other channels include text messages and emails. Often the message comes from the alleged developer himself; this is a common method of luring victims.
If you are interested: Download link
If the victims show interest, the criminals send a download link and a password for the archive containing the installer. The links lead to Dropbox, Catbox and often even to the Discord content delivery network (CDN) itself. To do this, the attackers use compromised accesses that are intended to provide more credibility, the IT security researchers explain.
Videos by heise
They have observed the malware packaged as both NSIS and MSI installers. These contain several variants, Malwarebytes calls Nova Stealer, Ageo Stealer or Hexon Stealer. The last two are offered as Malware-as-a-Service (MaaS), where the criminals can rent the malware and associated infrastructure from other perpetrators. The malware appears to be designed to capture credentials stored in the web browser and steal session cookies for platforms such as Discord and Steam as well as crypto wallet information.
The Nova Stealer infrastructure offers a webhook for Discord, for example, which informs the perpetrators of certain events. This means that they do not have to constantly check whether new information is available, but instead receive an alert. The Hexon Stealer is relatively new, explain the malware analysts. It is based on the Stealit stealer code and can extract Discord tokens, 2FA backup codes, browser cookies, autofill data, saved passwords, credit card information and crypto wallet data.
(Image:Â Malwarebytes)
Malwarebytes estimates that the Infostealer's main interest is in Discord credentials. These can be used to expand the network of compromised accounts. Since the stolen information also includes the accounts of friends, the attackers can impersonate them, which leads to more credibility among potential victims. In the end, however, the criminals still focus on money, the IT researchers explain.
The websites hosting the supposed game betas appear to be built using templates and look very similar. They are often hosted by companies that hardly ever respond to take-down requests. Potential victims should protect themselves with anti-malware software on their computer, advises Malwarebytes. Requests from friends should be verified through other channels, for example by contacting them on other social media or by text message. Malwarebytes also lists some Indicators Of Compromise (IOCs) in the form of URLs.
Online criminals are not running out of ideas for malware campaigns. At the end of last year, for example, they focused on the popular topic of artificial intelligence. Instead of a free AI video editor, however, there were also only infostealers that spied on the victims.
(dmk)
