A malicious info-stealer campaign has been discovered that targets gamers. According to a new report from Malwarebytes, the scheme begins with a seemingly innocent direct message (DM) on a Discord server. The message often comes from a purported game developer asking if the recipient is interested in beta testing a new video game. Victims may also receive such requests via text message or email.
To lure victims, the attacker provides a download link and a password for an archive that supposedly contains the game installer. The archives are hosted on various platforms, including Dropbox, Catbox, and even Discord's content delivery network (CDN), the researchers noted.
Instead of a game, however, the victim unwittingly installs an information-stealing malware. Variants of the malware include Nova Stealer, Ageo Stealer, and Hexon Stealer, each with slightly different capabilities. Nova Stealer and Ageo Stealer Malware-as-a-Service (MaaS) trojans are capable of stealing browser-stored credentials, session cookies for platforms like Discord and Steam, cryptocurrency wallet information.
Hexon Stealer is a newer malware, based on Stealit Stealer code, which is capable of exfiltrating Discord tokens, two-factor authentication (2FA) backup codes, browser cookies, autofill data, saved passwords, credit card details, and cryptocurrency wallet information.
One feature of Nova Stealer is its use of Discord webhooks, which notify attackers in real-time whenever new information is stolen, eliminating the need for manual checks.
A key objective of these campaigns is to steal Discord credentials. By compromising accounts, attackers can impersonate victims, targeting their friends and contacts with similar scams. This tactic spreads the malware further, leveraging trust to manipulate new victims.
The ultimate goal of the campaign is financial gain, with stolen credentials and data often sold on underground forums. The websites hosting the malicious archives are frequently protected by services like Cloudflare, complicating efforts to shut them down. Even when researchers succeed in taking down one site, attackers can quickly establish new ones.
Some campaigns also use platforms like Blogspot to host malware, employing standardized designs to appear legitimate.