Online game trading – sometimes more than you bargained for

Some online games offer features for the game players to sell their game items online. In such situations, it is highly likely some sellers may send the potential buyers a screenshot of their items for sale, for example, via Instant Messaging programs. 

Recently, malware distributors have started taking advantage of this. They pretend to be selling items and send a “screenshot” of their items for sale, when in fact, the “screenshot” file sent is a malicious executable file disguised as an image file. When executed, it does display a screenshot of some rare items (see below image); however, malware is silently dropped and executed in the background.

Imitation screenshot displayed by the malware
Figure 1 – Imitation screenshot displayed by the malware

This whole process may be user-initiated, and the user remains uncompromised until they open the “screenshot” file.

The disguised malware is detected as TrojanDropper:Win32/Fedripto.A. It can be configured to drop different malware components, and in the wild, the dropped file may be detected as Backdoor:Win32/Zegost.H – a remote control backdoor that is a prevalent threat in China.

Play it safe and scan files received from unknown sellers before opening – the items they are “selling” may simply be – malware! 

TrojanDropper:Win32/Fedripto.A SHA1: 84c1db933ea6159be27a642a03c2542e68f7adc9
Backdoor:Win32/Zegost.H SHA1: b79c07da4a9b55f065adc7af3aad23f84c08d91e

Chun Feng
MMPC Melbourne

Comments (0)