Malicious game downloads are not a new phenomenon, but malware authors are now exhibiting a greater degree of ambition in targeting online gamers. A gaming Trojan horse is now targeting user bank accounts in addition to user gaming credentials.
Threats such as Infostealer.Gampass have plagued online gamers for years, stealing user credentials and data. And even though Trojan.Grolker is a relative newcomer to the world of online gaming Trojans, it does have a new avenue of attack.
Symantec has been observing Trojan.Grolker in the wild since the middle of 2012. The majority of infections have been observed in South Korea, with smaller concentrations in Hungary. Attackers have targeted South Korea due to the popularity of online gaming in that country.
Figure 1. Countries targeted with Trojan.Grolker
Figure 2. Old Trojan.Grolker URL check
The new sample of Grolker uses the same code as before, and also checks the URL loaded in the browser against Korean bank URLs.
Figure 3. Trojan.Grolker now looks for banking URLs
The Grolker Trojan uses a Browser Helper Object to load its component into Internet Explorer processes. This is different from other banking Trojans which typically inject their components directly into browser processes and hook network functions to intercept Web traffic. As such, Trojan.Grolker still resembles an online gaming Trojan of old more than an online banking Trojan.