SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

Legion Stealer targeting PUBG players

by Valentin / Saturday, 13 January 2024 / Published in RSS blog posts

Cyber Security BlogsStealer impersonating Solution File (.sln) via a fake GitHub repo


GitHub is a web platform that facilitates version control and collaboration for software development projects. This enables users to store and manage their source code repositories, track code modifications, and collaborate with others on the same project. While GitHub serves as a hosting platform for legitimate code, it can also be misused by Threat Actors (TAs) to distribute malware, backdoors, or exploits through repositories. This duality makes GitHub susceptible to both legitimate and malicious code sharing.

GitHub makes it easy for users to clone repositories, which means they can create a local copy of a repository on their own machines. TAs may create repositories that appear to contain useful or legitimate code but actually include hidden malware.

Users inadvertently download and execute malicious code when they clone such repositories. TAs can leverage the collaborative nature of GitHub to trick users into executing malicious code. They may create repositories with enticing names or descriptions, posing as legitimate projects or offering valuable tools. Unsuspecting users who unknowingly clone or download these repositories may become victims of malware infections.

Cyble Research and Intelligence Labs (CRIL) recently discovered a GitHub page that masquerades as a PUBG bypass hack project but distributes a malicious file. When users download the project and execute the solution (.sln) file, it unknowingly deploys an information stealer called “Legion Stealer” onto their systems as a payload.

A PUBG bypass hack refers to a type of cheat or exploit used by players to gain an unfair advantage over other players. Bypass hacks are designed to bypass or circumvent the game’s security measures and anti-cheat systems to enable various cheats and hacks, such as aimbots, wallhacks, speed hacks, and other unfair gameplay advantages.

Hacks such as these can allow players to see through walls, automatically aim at opponents, move faster than normal, and perform other actions that are not possible within the regular gameplay mechanics of the game. Using bypass hacks is against the game’s terms of service and can result in penalties, including temporary or permanent bans.

The image below reveals a GitHub page that falsely presents itself as a source for a PUBG bypass NO BAN script but distributes a malware file instead.

Figure 1 – PUBG bypass hack file hosted on GitHubTechnical Details

When the user selects the “Download ZIP” option on the “PUBG-Karogour-Bypass-NO-BAN” GitHub page, the project file will be saved to the local system with the name “PUBG-Karogour-Bypass-NO-BAN-main.zip”, as shown below.

Figure 2 – Downloading GitHub project

After unzipping the archive file, it contains various types of files, including source code (.cs), project (.csproj), solution (.sln), icon (.ico), resources (.resources), and other supporting files like app.config, desktop.ini, and Readme.md. Additionally, there are project folders such as bin and obj, as illustrated in Figure 3.

In C# projects, the solution (.sln) file is created by Microsoft Visual Studio. The SLN file acts as a workspace or container that helps organize multiple interconnected projects. The SLN file format is a text-based file that follows a specific structure and contains information about the projects and configurations within a Visual Studio solution.

Inside the downloaded zip file, the “Karogour_BypasrcS.sln” file turns out to be a screen saver (executable) file rather than a text-based solution file (.sln) typically used in C# projects.

The file originally had the name “Karogour_Bypasnls.Scr”. However, in an attempt to deceive users, the TA reversed the last 7 characters of the file name, changing it from “nls.Scr” to “rcS.sln” to make it appear as a solution file, as shown below.

Figure 3 – Files inside the PUBG Bypass hack project

The “Karogour_BypasrcS.sln” is a 32-bit GUI-based executable file that was compiled using a .NET compiler and has a SHA256 hash of 8653df677fc1fb616c082e94f178474c91e62abfffadd2dec4e8d501466a2b8a, as shown below.

Figure 4 – Static file details

Upon execution of the “Karogour_BypasrcS.sln” file, it drops two files directly in the root of the %appdata% folder and runs it. These files are named “Local_ycsNYnaBZ.sln” and “LocalchfRgyVJSk.exe”.

The figure below displays the files that have been dropped in the root of the %appdata% directory.

Figure 5 – Dropped files inside %appdata% folder

When the “Local_ycsNYnaBZ.sln” is started, it launches the code in the Visual Studio editor. This action is designed to deceive the user into believing they are viewing the content of the “Karogour_BypasrcS.sln” file, creating a false impression, as shown below.

Figure 6 – Displaying the content of dropped SLN file

During the display of the SLN file, the “LocalchfRgyVJSk.exe” executable is also executed in the background without the user’s knowledge. This executable is identified as a Legion Stealer malware payload.

The following figure illustrates the process tree associated with the malware infection caused by the malicious counterfeit PUBG-Bypass-NO-BAN script.

Figure 7 – Process treeLegion Stealer

The Legion Stealer payload has a SHA256 hash of a4b7c26cdfff6f4b055d3f7fd394553917701649f0faabccd7861651d08c59fd.

It is a 32-bit executable compiled using .NET and obfuscated using an unknown obfuscator. The below figure shows the file details of the de-obfuscated Legion payload.

Figure 8 – Legion Stealer file details

Upon execution, Legion Stealer executes a series of commands, which include manipulating Windows Defender settings, extracting information from the registry, and gathering system details. These actions are aimed at evading detection, unauthorized access, and exploiting vulnerabilities present in the compromised system.

The table below lists the commands that were executed by Legion Stealer.

Commands

Description

“powershell.exe” Add-MpPreference -ExclusionPath ‘C:Users<user>AppDataLocalchfRgyVJSk.exe’

This command adds an exclusion path to Windows Defender’s preferences, excluding the specified file (chfRgyVJSk.exe) from being scanned for malware by Windows Defender.

“powershell.exe” Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

This command disables several security features of Windows Defender, such as intrusion prevention, real-time monitoring, script scanning, and Controlled Folder Access. It also configures network protection in audit mode, disables MAPS reporting, and sets the consent for submitting malware samples to “Never Send” initially, and then changes it to “2” in the subsequent PowerShell command.

“powershell.exe” Get-ItemPropertyValue -Path HKCU:SOFTWARERobloxRobloxStudioBrowserroblox.com -Name .ROBLOSECURITY

This command retrieves the value of the “.ROBLOSECURITY” property from the specified registry path of HKCU. This value is related to authentication or session information for the Roblox Studio Browser.

“powershell.exe” Get-ItemPropertyValue -Path HKLN:SOFTWARERobloxRobloxStudioBrowserroblox.com -Name .ROBLOSECURITY

This command attempts to retrieve the value of the “.ROBLOSECURITY” property from the specified registry path of HKLM. This value is related to authentication or session information for the Roblox Studio Browser, like the previous one.
(It seems there’s a typo in the command; it should be HKLM instead of HKLN.)

“wmic.exe” os get Caption

This command uses Windows Management Instrumentation Command-line (WMIC) to retrieve the caption or name of the operating system installed on the system.

“wmic.exe” computersystem get totalphysicalmemory

This command uses WMIC to retrieve the total amount of physical memory (RAM) installed on the computer system.

“wmic.exe” csproduct get uuid

This command uses WMIC to retrieve the computer system’s product’s UUID (Universally Unique Identifier).

“powershell.exe” Get-ItemPropertyValue -Path ‘HKLM:SystemCurrentControlSetControlSession ManagerEnvironment’ -Name PROCESSOR_IDENTIFIER

This command retrieves the value of the “PROCESSOR_IDENTIFIER” environment variable from the specified registry path. It provides information about the processor or CPU installed on the system.

“wmic” path win32_VideoController get name

This command uses WMIC to retrieve the names of the video controllers (graphics cards) installed on the system.

The depicted figure below provides an overview of the activities carried out by the Legion stealer upon execution, which includes anti-debugging and anti-VM techniques, the creation of mutexes, as well as the stealing of sensitive information from the victim’s system.

Figure 9 – Overall functions of Legion StealerMutex

When executed, the malware first checks if a specific mutex string, “mRd5kJFGuVrnySeulPsJ,” exists. If it finds the mutex string, it indicates that another instance of the application is already running on the user’s machine. In such cases, the malware terminates its execution to avoid duplicating instances, as shown in the below code.

Figure 10 – Creating MutexKilling Processes

Then, the stealer scans against a hardcoded list of application process names associated with virtualization software and malware analysis tools. If any of these processes are detected as active on the victim’s machine, the malware takes action to terminate them.

The applications are mentioned in the figure below.

Figure 11 – Terminating processes associated with virtualization software and malware analysis toolsDetecting Controlled Environments

The stealer also has a list of PC names, usernames, and hardware IDs that it utilizes as identifiers to detect whether it is running in a controlled environment. If there is a match between the PC name, username, or hardware ID in use and any entry in the list, the stealer will terminate its operation. The following figure contains the usernames, PC names, and hardware IDs.

Figure 12 – Hardcoded usernames, PC names & hardware IDs to detect controlled environmentsCollecting System Information

After performing the defense evasion techniques, the stealer initiates the process of gathering system information, including computer name, OS name, RAM size, UUID, CPU details, GPU details, and product key. Additionally, it acquires IP-related information such as IP address, region, country, time zone, cellular data connectivity, proxy/VPN usage, and reverse DNS.

Figure 13 – Collecting Victim’s IP detailsStealing Browser Passwords & Cookies

Subsequently, the stealer examines the system to identify the presence of specific web browsers, namely Brave, Chrome, Chromium, Comodo Dragon, Edge, Epic Privacy, Iridium, Opera, Opera GX, Slimjet, UR Browser, Vivaldi, and Yandex. It aims to extract sensitive information such as passwords and cookies from browsers using the GetPasswords() and GetCookies().

The following figure illustrates the code snippet used to check the existence of Brave browsers and extract passwords and cookies from them.

Figure 14 – Code snippet used to  extract passwords and cookiesGrabbing Crypto wallets

Afterward, the stealer retrieves data associated with cryptocurrency wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, AtomicWallet, Guarda, and Coinomi. It achieves this by querying and reading files located within their respective directories.

The following figure showcases the stealer’s focus on targeting crypto wallets.

Figure 15 – Crypto wallets targeted by StealerStealing Minecraft Session Files

Furthermore, the stealer specifically targets Minecraft session files. It incorporates a routine to extract the configuration and credentials from application files associated with Minecraft, such as Lunar, TLauncher, Feather, Meteor, Impact, Novoline, CheatBreakers, Microsoft Store, Rise, Palladium, PolyMC, and Badlion, as shown below.

Figure 16 – Targeted Minecraft session files by Legion Stealer

Additionally, the malware collects sensitive session files from messaging applications such as Discord and Telegram. Furthermore, it collects Roblox cookies, captures webcam images, and takes screenshots of the victim’s system.

Exfiltration

Finally, the malware generates a list and includes an overview of the stolen data, as depicted in the below figure. Subsequently, it transmits this list to a Discord server.

Figure 17 – Overview of data stolen by Legion Stealer

The stealer compresses the folder containing the stolen data and exfiltrates it to the Discord server. The collected data is sent to the attacker through Discord webhooks, as illustrated in the below image.

Figure 18 – Discord webhook for exfiltrationConclusion

Video games, such as the widely popular PlayerUnknown’s Battle Grounds (PUBG), attract a significant number of users, creating a larger target audience for distributing malware. Gamers, who often place trust in gaming-related content, are more vulnerable to downloading files or running scripts without proper caution. Due to their desire for an unfair advantage in games, many gamers are tempted to use cheats or hacks. TAs exploit this demand by camouflaging their malware as game cheats or bypasses.

In this case, we have observed that TAs are utilizing a GitHub-hosted PUBG bypass hack script as a medium to distribute the Legion Stealer malware. It is a newly emerged Information stealer. While established and widely used InfoStealers exist in the cybercrime market, TAs opt for newer strains to stay updated. The rise of InfoStealers is concerning as they aid TAs in obtaining initial access, enabling them to compromise corporate networks, thus amplifying the threat landscape.

CRIL will continue monitoring the new malware strains and phishing campaigns in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

Avoid downloading files from untrusted sources.

Clear browsing history and reset passwords at regular intervals.  

Turn on the automatic software update feature on your computer, mobile, and other connected devices. 

Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 

Refrain from opening untrusted links and email attachments without first verifying their authenticity.  

Educate employees on protecting themselves from threats like phishing/untrusted URLs. 

Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 

Monitor the beacon on the network level to block data exfiltration by malware or TAs. 

Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic 

Technique ID 

Technique Name 

Execution 

T1204
T1059
T1047

User Execution
Command and Scripting Interpreter
Windows Management Instrumentation

Defense Evasion

T1497
T1027
T1562

Virtualization/Sandbox Evasion
Obfuscated Files or Information
Disable or Modify Tools

Credential Access

T1003

OS Credential Dumping

Discovery   

T1057
T1012
T1082
T1083
T1518

Process Discovery
Query Registry
System Information Discovery
File and Directory Discovery
Security Software Discovery

Collection

T1005
T1113

Data from Local System
Screen Capture

C&C

T1071
T1573

Application Layer Protocol
Encrypted Channel

 Indicators Of Compromise

Indicators

Indicator Type

Description

f810afdfb042daa0a0acb7b1239a3a95
cdbcabfdf8f90df54b646a0365ae250f77d4d1e3 8653df677fc1fb616c082e94f178474c91e62abfffadd2dec4e8d501466a2b8a

MD5
SHA1
SHA256

Karogour_Bypasnls.Scr
(Main exe file)

c571b3895af61c2c90d4cdde6b91a64f
902cb9d246878b3fbbccaa93909d9112676fd62e
a4b7c26cdfff6f4b055d3f7fd394553917701649f0faabccd7861651d08c59fd

MD5
SHA1
SHA256

Legion Stealer
Payload

The post Legion Stealer targeting PUBG players appeared first on Cyble.

​Read More

  • Tweet

About Valentin

What you can read next

Iranian Phishing Campaign Targets Israel-Hamas War Experts
AI-Driven Cybersecurity: Transforming Defense Strategies for the Digital Age
Long-running Chinese cyberespionage operation targeted Southeast Asian government

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP