Malware Odlanor specializes in compromising poker players
Two years ago, we published information about the PokerAgent malware ( MSIL / Agent.NKY ). Cyber attackers used it to compromise the user accounts of the social network Facebook, as well as to steal information and valuable data from the online game Zynga Poker. In this case, the Facebook social network was used as a platform for the distribution of malware.
Recently, our analysts discovered another malicious program - Win32 / Spy.Odlanor , which is also targeted at poker players. This time it’s about the PokerStars and Full Tilt Poker poker game clients.
')
For an attacker, the situation looks quite simple: after the victim has successfully infected with a Trojan program, the cybercriminal will gain access to information about her game cards, so he will have an indisputable advantage in the game. Below we consider in more detail how this scheme operates.
As in the case of other trojans, a user can become infected with this malware, trying to download this or that software useful for it from unreliable sources. Attackers disguise Win32 / Spy.Odlanor as installers of legitimate general-purpose software, such as Daemon Tools or Torrent. Odlanor can also be disguised as specialized poker software such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office.
After its execution, Win32 / Spy.Odlanor will try to take screenshots if the user is running PokerStars and Full Tilt Poker clients. Screenshots are then sent to the remote server to the attacker.
These screenshots taken by the attackers can later be obtained from the attackers by compromising their data. The data also includes the player ID. Both of the aforementioned poker sites contain the function of searching for players by their identifiers, so an attacker can quite simply connect to the game tables he needs.
We cannot say for sure whether the attacker plays the game manually or uses some other automated method for this.
In newer versions of the malware, the ability to steal user password data was added to the Oldanor trojan body by integrating one of the versions of the NirSoft WebBrowserPassView tool into it. This tool is undesirable software and is detected by ESET antivirus products like Win32 / PSWTool.WebBrowserPassView.B . He specializes in extracting passwords from web browsers.
The Win32 / Spy.Odlanor Trojan program communicates with its C & C server via a simple HTTP protocol. Its address is hardwired in the body of the malware. Some of the data identifying the victim, such as the version of the malware and information about the computer, is sent as URL parameters. The rest of the collected information, including an archive with screenshots or stolen passwords, is sent in the body of the HTTP POST request.
Below are two screenshots of the malware code in IDA Pro, which is responsible for searching application windows with titles from PokerStars and Full Tilt Poker games.
We managed to detect several versions of this malware, the earliest of which dates from March 2015. The data from our ESET LiveGrid cloud technology shows that the highest number of detections of this malware was recorded in Eastern European countries. However, the trojan is a potential threat to any player in online poker. Users in the Czech Republic, Poland and Hungary suffered from his actions. On September 16th, we recorded several hundred infected Win32 / Spy.Odlanor users.
Below are the SHA-1 identifiers of some malware samples.
18d9c30294ae989eb8933aeaa160570bd7309afc
510acecee856abc3e1804f63743ce4a9de4f632e
dfa64f053bbf549908b32f1f0e3cf693678c5f5a
Recently, our analysts discovered another malicious program - Win32 / Spy.Odlanor , which is also targeted at poker players. This time it’s about the PokerStars and Full Tilt Poker poker game clients.
')
For an attacker, the situation looks quite simple: after the victim has successfully infected with a Trojan program, the cybercriminal will gain access to information about her game cards, so he will have an indisputable advantage in the game. Below we consider in more detail how this scheme operates.
As in the case of other trojans, a user can become infected with this malware, trying to download this or that software useful for it from unreliable sources. Attackers disguise Win32 / Spy.Odlanor as installers of legitimate general-purpose software, such as Daemon Tools or Torrent. Odlanor can also be disguised as specialized poker software such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office.
After its execution, Win32 / Spy.Odlanor will try to take screenshots if the user is running PokerStars and Full Tilt Poker clients. Screenshots are then sent to the remote server to the attacker.
These screenshots taken by the attackers can later be obtained from the attackers by compromising their data. The data also includes the player ID. Both of the aforementioned poker sites contain the function of searching for players by their identifiers, so an attacker can quite simply connect to the game tables he needs.
We cannot say for sure whether the attacker plays the game manually or uses some other automated method for this.
In newer versions of the malware, the ability to steal user password data was added to the Oldanor trojan body by integrating one of the versions of the NirSoft WebBrowserPassView tool into it. This tool is undesirable software and is detected by ESET antivirus products like Win32 / PSWTool.WebBrowserPassView.B . He specializes in extracting passwords from web browsers.
The Win32 / Spy.Odlanor Trojan program communicates with its C & C server via a simple HTTP protocol. Its address is hardwired in the body of the malware. Some of the data identifying the victim, such as the version of the malware and information about the computer, is sent as URL parameters. The rest of the collected information, including an archive with screenshots or stolen passwords, is sent in the body of the HTTP POST request.
Below are two screenshots of the malware code in IDA Pro, which is responsible for searching application windows with titles from PokerStars and Full Tilt Poker games.
We managed to detect several versions of this malware, the earliest of which dates from March 2015. The data from our ESET LiveGrid cloud technology shows that the highest number of detections of this malware was recorded in Eastern European countries. However, the trojan is a potential threat to any player in online poker. Users in the Czech Republic, Poland and Hungary suffered from his actions. On September 16th, we recorded several hundred infected Win32 / Spy.Odlanor users.
Below are the SHA-1 identifiers of some malware samples.
18d9c30294ae989eb8933aeaa160570bd7309afc
510acecee856abc3e1804f63743ce4a9de4f632e
dfa64f053bbf549908b32f1f0e3cf693678c5f5a
Source: https://habr.com/ru/post/267099/
All Articles