Some online games offer features for the game players to sell their game items online. In such situations, it is highly likely some sellers may send the potential buyers a screenshot of their items for sale, for example, via Instant Messaging programs.
Recently, malware distributors have started taking advantage of this. They pretend to be selling items and send a “screenshot” of their items for sale, when in fact, the “screenshot” file sent is a malicious executable file disguised as an image file. When executed, it does display a screenshot of some rare items (see below image); however, malware is silently dropped and executed in the background.
Figure 1 – Imitation screenshot displayed by the malware
This whole process may be user-initiated, and the user remains uncompromised until they open the “screenshot” file.
The disguised malware is detected as TrojanDropper:Win32/Fedripto.A. It can be configured to drop different malware components, and in the wild, the dropped file may be detected as Backdoor:Win32/Zegost.H – a remote control backdoor that is a prevalent threat in China.
Play it safe and scan files received from unknown sellers before opening – the items they are “selling” may simply be – malware!
TrojanDropper:Win32/Fedripto.A SHA1: 84c1db933ea6159be27a642a03c2542e68f7adc9
Backdoor:Win32/Zegost.H SHA1: b79c07da4a9b55f065adc7af3aad23f84c08d91e
Chun Feng
MMPC Melbourne
Leave a reply
