Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Leveling Up: Gaming Trojan Adds Banks to Target List

Created: 01 Nov 2013 11:57:33 GMT • Updated: 23 Jan 2014 18:03:24 GMT • Translations available: 日本語
Kevin Savage's picture
+3 3 Votes
Login to vote

Malicious game downloads are not a new phenomenon, but malware authors are now exhibiting a greater degree of ambition in targeting online gamers. A gaming Trojan horse is now targeting user bank accounts in addition to user gaming credentials.

Threats such as Infostealer.Gampass have plagued online gamers for years, stealing user credentials and data. And even though Trojan.Grolker is a relative newcomer to the world of online gaming Trojans, it does have a new avenue of attack.  

Symantec has been observing Trojan.Grolker in the wild since the middle of 2012. The majority of infections have been observed in South Korea, with smaller concentrations in Hungary. Attackers have targeted South Korea due to the popularity of online gaming in that country.

3353327_fig1.png

Figure 1. Countries targeted with Trojan.Grolker

Until this month Trojan.Grolker appeared to be a standard gaming Trojan, stealing the same type of gaming related information as its predecessors. Code analysis from an old Grolker sample shows that browser URLs were compared against gaming URLs of interest to Grolker. If the URL was of interest, then the malware injected malicious JavaScript into the Web page.

3353327_fig2.png

Figure 2. Old Trojan.Grolker URL check

The new sample of Grolker uses the same code as before, and also checks the URL loaded in the browser against Korean bank URLs.

3353327_fig3.png

Figure 3. Trojan.Grolker now looks for banking URLs

As before, Grolker Trojan continues to inject malicious JavaScript into pages containing URLs of interest to the attackers. Korean customers are largely the victims, as the all banking sites we have seen targeted are in South Korea.

3353327_fig4.png

Figure 4. Grolker injects malicious JavaScript into online banking websites

Malicious JavaScript for injection into clean Web pages is hardcoded into the Trojan’s binary file. Grolker does not use a separate configuration file, such as ones used by other banking Trojans (for instance Trojan.Zbot).

The Grolker Trojan uses a Browser Helper Object to load its component into Internet Explorer processes. This is different from other banking Trojans which typically inject their components directly into browser processes and hook network functions to intercept Web traffic. As such, Trojan.Grolker still resembles an online gaming Trojan of old more than an online banking Trojan.

We advise customers to use the latest Norton consumer and Symantec enterprise solutions to protect against attack. Symantec will detect this threat as Trojan.Grolker.