Gamers are the latest infostealer targets. According to Flashpoint, a strain known as AgeoStealer has recently appeared, standing out due to its unique delivery method. To learn why it’s particularly unique, let’s first take a quick look at how infostealers typically work.
What is an infostealer
Infostealers, as you might have guessed by the name, are a type of malware that compromises a system to steal information. They usually target sensitive, valuable data, such as:
- Personal data
- Browser data
- Login credentials
- Financial information
- Crypto wallets
- Emails and chat logs
- Images and documents
Infostealers can be delivered to the target system in various ways, from phishing email attachments and links to infected software to malicious websites that exploit browser vulnerabilities.
Stealers have been around for nearly two decades, the first appearing in 2006. They have remained popular among threat actors because they’re generally easy to use, readily available, cheap, and give access to valuable data.
Posing as developers to exploit gamers
AgeoStealer delivery has more of a social engineering element than is usual for infostealers. Threat actors impersonate developers seeking beta testers for their fake video game, making contact on a BlogSpot site, as well as gaming communications platforms. They take advantage of the fact that people are often less vigilant during leisure time and the element of trust game testing communities.
Victims download the game file which is in fact the infostealer malware, a compressed archive (RAR, ZIP, or 7Z) protected by two passwords. This helps it bypass signature-based antivirus detection.
The file opens an NSIS installer disguised as a legitimate Unity software package. This installer then launches an Electron application running concealed JavaScript payloads, which security tools can misinterpret.
After that, the malware gets to work, targeting where the most valuable data resides. This is mainly browser data, as well as computer data. For browsers, it focuses on Chrome, Firefox, Microsoft Edge, and Opera, stealing information like saved credentials, session tokens, and browsing history, to potentially access the victim’s resources and hijack accounts. Beyond the browser, it will search common directories for valuable files.
It exfiltrates the data by uploading the files to a file-sharing service, compressing files and sending them via a HTTP POST request. It then sends the stolen data’s download URL to a remote server where the threat actor can access it. The attacker never interacts with the stolen data directly during the process, which helps keep them safe from being caught.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.