Gamers hit with trojanized versions of official League of Legends releases
Computer security experts often advise to users to download games, apps, documents, software and software updates directly from the original source (the manufacturer) or from reputable online stores.
It’s good advice that minimizes considerably the danger of downloading malware, but it’s also not a guarantee that it won’t happen, as official websites, online repositories and stores occasionally do get compromised and software offered for download gets inconspicuously bundled with malware.
The latest instance of this type of compromise has been detected late last year and has resulted in many Taiwanese gamers getting saddled with the PlugX remote access Trojan (RAT).
The attackers targeted well known Asian consumer Internet platform provider Garena, which partners with a number of high-profile game developers from around the world. These partnerships mean that more often than not, Garena offers exclusive releases of certain games to its Asia-based customers.
The investigation revealed that only the Taiwanese versions of popular online games League of Legends and Path of Exile offered for download on the site were swapped with trojanized ones.
The provider cleaned up the website and their servers and notified its customers of the intrusion via a press release. They advised them to update their game-related files, scan their machines with an AV solution, change the password they use for the site, and to enable the two-step verification feature Garena offers. They also warned them about potential phishing attempts they might be subjected to, but said that there is no evidence that the users’ personal and account information has been compromised and/or leaked.
Trend Micro researchers have analyzed the trojanized versions, and have discovered that the infection chain was triggered by downloading the seemingly legitimate installer or updates for one of those games.
“The compromised game launcher will then drop three files: a legitimate game launcher, a ‘cleaner’ that overwrites the compromised launcher with the legitimate one, and a dropper that installs PlugX binaries. The ‘cleaner’ file could be seen as one way of covering up any traces of malicious activity,” they explained.
The security company offered a clean-up tool for the gamers that might have been infected.