Steam, Epic Games Store, EA Origin accounts targeted by BloodyStealer

Gamer accounts sold in the underground market after info-stealer trojans exfiltrate data from popular apps

Malware sold in underground forums can obtain login details of gaming applications

The new advanced trojan targets accounts of various gaming platforms since these details are valuable and in demand in various underground markets. BloodyStealer trojan analysis revealed the malware is stealing account details of gaming platforms like Steam, Epic Games Store, EA Origin, VimeWorld, and more.^[1] Detection evading, low price and other trojan capabilities made the piece attractive when particular advertisements were posted online.^[2]

The Kaspersky research team report^[3] shows all the functions of the piece and lists what data got stolen, sold on the dark web. These game-related products and gaming accounts are in demand, and the research report also illustrates that. Julia Glazova states in her statement:

Unsurprisingly, accounts with many games, add-ons, and expensive items hold particular value. Typically cybercriminals sell them at huge discounts.

The trojan was first detected in March due to the active advertising campaigns in Russian-speaking underground forums. At the time, the trojan was offered for 700 RUB a month (equivalent to $10). The lifetime subscription for the malicious tool then was on sale for $40. Attacks started, and research shows that BloodyStealer was detected in attacks across Europe, Latin America, and Asia-Pacific regions.

Information gathering and exfiltration functionalities

Information obtained from those popular gaming applications got obtained via a remote server. Gathered data can be easily monetized using darknet platforms and channels on programs like Telegram created for criminals to purchase access to online accounts like this. Trojan-stealer manager to access and steal various details:

• cookies;
• passwords;
• forms;
• banking card details from browsers directly;
• screenshots;
• login information;
• uTorrent files;
• logs;
• device data;
• session details related to other applications.

The creation of the infection ensures difficulty to reverse-engineer^[4] the malware piece. The piece stands out in these underground forums with its functions helping to evade antivirus detection. It is not particularly indicated how the trojan was delivered, but many attackers distributed this Bloodystealer with other threats. However, the most common method includes scams, including game downloads, links on social media with redirects to rogue sites, and triggering the download of this virus.

Data-stealers continue globe-trotting

When the obtained data gets sent to a C&C server^[5] protected against other attacks like DDoS and web campaigns, cybercriminals control the stolen details and ensure the later use for the information. There are tons of different data stealers that have been on the market. Underground forums often have such advertisements for tools that have pushing functions and other information-gathering-related functions. Monetization is the primary purpose of these campaigns, as with any other cyber threat campaign and attack.

Login information to accounts like this can be exceptionally valuable. Archives with tens of thousands of records linked with people in the US or Europe can be put up for $100-$200 for the whole archive. Such data typically goes for 20 – 50 cents per piece. Hackers who know what they are doing can speculate that the library contains old, useless information. Often, sellers allow buyers to check these logs to confirm that information is available before purchasing.

Unfortunately, anyone can fall victim to such malware and stealer campaigns. You need to consider all the risks and make sure to keep your accounts secure as well as your information on the machine. Strong passwords, tho-factor-authentication can help. Also, be cautious about the risk behind links in emails, social media messages from strangers, double-check if the site is legitimate when you put any of your credentials. Use proper security solutions and anti-malware to avoid significant virus attacks.