Joao Malware Analysis

Overview

Security researchers from the security firm ESET spotted a piece of malware dubbed Joao targeting gamers. This malware is found inside an Aeria game installation pack provided by a third party. Upon the start of a game, this malware runs in the background, sending the victim’s machine information to the attacker, including the operating system, user name, and privilege information of this user. Additionally, this malware will install other forms of malware on the machine of the affected user.

Related information can be found at the following link:

http://www.hackread.com/dangerous-new-malware-joao-hits-gamers-worldwide/

Aeria Games

Aeria Games, formerly known as Aeria Games and Entertainment, is an online game publisher headquartered in Berlin, Germany with other locations in .

Aeria Games, a subsidiary of ProSiebenSat.1 Media, operates an Internet gaming portal for massive multiplayer online games. It focuses on online games in multiple formats to include client, browser, and mobile games. It publishes for North America, South America, and Europe.

Propagation and Infection

The malware Joao propagates via hacked Aeria games offered on unofficial websites for users to download.

Sample Analysis

   Environment

Major Functions

1. Information theft: The sample steals the computer name, operating system version, user privilege information, as well as information (such as login data) saved in Google Chrome.
2. Network behavior: The sample connects to 104.18.48.240 to send an HTTP GET request in which the “value” field is encrypted user information.

http://www.apexserver.ws/index.php?route=anticheat&op=validatekey&cid=7&ver=4&value=c9LKpz30qO2-L4mZUktTzhQiySiSOfhzxdwusZP4GCXiQGWr96-7R22jHFA_lny5FtUMlbSI6tiiGCtl5_UuVe0SG-ft8VmlXMa

At first, this sample collects information about the local device, including the device name, user name, operating system version, and the user’s privilege level.

Then the sample encrypts and encodes the information shown in the preceding figure, extracts the URL from its own data via decryption, and adds the encoded local information to the “value” field in the URL. After that, the sample connects to the remote server and sends it an HTTP GET request.

If URL is unavailable and a request to it is replied with error 522 the sample has no further malicious behaviors as it fails to download data from the server. After receiving data from the server the sample acts as instructed. Specifically, it may create processes for code injection or steal information (such as user login data) saved in Google Chrome and send it to the remote server.

Analysis of Associated Samples

We searched for associated samples and found a component of Joao. According to our simple analysis, this component is also a downloader that is mainly used to download a PE file and inject it in the downloader for execution.

This component keeps trying to connect ports 53, 18000, 80, 443, 8000, 25, 21, 3389, and 445 of IP addresses 95.170.86.186, 146.185.136.11, and 185.35.77.17 in a circular manner until a connection is established.

After the connection is established, both ends first decide on the size of the file to upload. After that, the Joao component receives data and checks whether it is a PE file. If yes, this component injects it into its own process application space and then invokes CreateRemoteThread for execution.

   Network Characteristics

1. The sample sends an HTTP GET request to 104.18.48.240, in which the value of the “host” field is www.apexcontrol.ws.
2. An associated sample tries to download malicious code from the following malicious IP addresses: 95.170.86.186, 146.185.136.11, and 185.35.77.17.

   Attack Source

Detection Method

   Users’ Self-Protection

1. Download games from official websites, rather than third-party websites where trojans may be concealed.
2. Monitor HTTP GET requests whose “host” field contains the www.apexcontrol.ws domain name.
3. Install antivirus software to prevent malware infection and resulting damage.

   NSFOCUS Recommended Solutions for Removing Trojans

1. Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated from the network and the event impact is minimized. After the handling, an event analysis report is provided.
2. Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to detect this malicious sample in an ongoing manner, thereby securing customers’ systems.
3. Long-term service: NSFOCUS provides industry-specific risk mitigation solutions (threat intelligence + attack traceback + professional security service).

Conclusion

The malware Joao propagates via hacked Aeria games offered on unofficial websites for users to download. To prevent the infection of this malware, users must check whether the game installation pack contains an extra DLL file, especially mskdbe.dll. If yes, remove it immediately.

Appendix

The following indicators of compromise (IoCs) are concerned with Joao: