How a Malicious Application Used a Game Demo to Deliver an Infostealer

5 min read2 days ago

Hello Folks, I hope you are doing well. today I was playing a game and found my friend sent a message that he got hacked and the attacker sent him a screenshot of my friend’s discord account. so, I asked him to send me the source of the file. so, the scenario was like this (Saying my friend called barney).

Attacker: Hello Barney, I know you are a game developer, and you use Unity.
Barney: Yes, I do.
Attacker: Cool I made a game and want to take your opinion about it. so, can you try it? I’ll send you the demo site of the game.
Barney: Sure…
Attacker: https://playarenawars.pages.dev/.

So, since the sandboxes didn’t give me a quick analysis about the file cause it’s bigger than the limit they had so I had to do it manually.

This is how the website looks like :3. seems like normal website. So, I took everything to a virtual machine.

Till now. there are no alerts from windows defender. it looks like a normal setup. so, I downloaded (ProcMon) to take a look and started (Wireshark) to capture the traffics.

This is a good indication of brute-force directories. he is going through browsers not only chrome but (Google Chrome, Brave, Yandex Browser, Edge, Opera). looking for the most important directories which are (User Data) Directory that stores Profiles and passwords, and profile data, passwords and so on.

so, I’m filtering out the only success results to take a good look.

And hmmm he found Microsoft edge files (Default, Local State). so, you will notice an execution of CMD command after it.

A PowerShell command. took these decimal number tried to decode them on (CyberChef)

Found that it executed a command related to the browser he found on the machine.

You will see an interesting operations looking inside (passwords.db). and after it opened a file called (passwords.txt) inside the directory of the program.

%USERPROFILE%\AppData\Local\Programs\ArenaWars\Passwords.txt

first the machine didn’t contain any accounts or emails. so, it’s empty so I decided to do something Trickey. I put a canary token in short URL as password.

so, to check attacker will send the creds and put it into checker to see if its valid or not. so, let’s try to run the app again. (of course, no game :D starts).

Note: I deleted the files already was there. (you will notice file called Ageo_V2Work_BrowseData). compress the file will User of the machine and data too.

contains AutoFills and passwords. he found.

After executing the app again.

passwords.txt contain the password and the email address. and the other compressed file. contain the cookies.

So. let’s go back and see what is going on after this process.

Found another cmd executed command to list all tasks.

And another executed command related to remote debugging on edge. and start everything to be clear.

And another interesting process TCP Disconnect is trying to communicate with the Edge browser that is running in headless mode.

And here we are interesting information. connection after mention the zipped file there were a connection to multiple IPs (143.244.215.221, 172.67.160.130).

there was another executed CMD command. Trying to retrieve the Windows Product Key from the system using the WMIC (Windows Management Instrumentation Command-line) utility. this is very interesting now. let’s take a look on Wireshark now.

Let’s filter the traffic on the IPs we got from the process.

Taking a look on the packets.

Found interesting domain (file.io). let’s google it

It’s a cloud website to upload files similar to (Mega.nz, MediaFire, Anonfiles) and so on. so, it should be the server that he uploads the file to. but we don’t have the full URL. so, let’s keep looking for the rest of the traffics