A new malware, dubbed BloodyStealer was discovered by researchers which is used by threat actors to steal accounts for multiple gaming platforms, including Steam, Epic Games Store, GOG Galaxy, EA Origin, and more.
The new malware which was spotted by researchers from Kaspersky is available for sale on dark web forums. The malware allows operators to harvest a broad range of information, including cookies, passwords, bank cards, and sessions from various applications.
Stolen data are later sold by the operators in underground marketplaces and gaming accounts are in demand in the cybercrime ecosystem.
Gaming login credentials to popular platforms such as Steam, Origin, Ubisoft or EpicGames can be bought for 14.2 USD per thousand accounts when sold in bulk, and for 1-30% of an account’s value when sold individually.
BloodyStealer is offered through a malware-as-service model at a rate of less than 10 USD for a 1-month subscription or 40 USD for a lifetime subscription.
Kaspersky researchers explained that the malware implements several anti-analysis methods, including the use of packers and anti-debugging techniques.
Below is the list of capabilities advertised by the developer of the malware:
The ad highlights the following features of BloodyStealer
- Grabber for cookies, passwords, forms, bank cards from browsers
- Stealer for all information about the PC and screenshots
- Steals sessions from the following clients: Bethesda, Epic Games, GOG, Origin, Steam, Telegram, VimeWorld
- Steals files from the desktop (.txt) and the uTorrent client
- Collects logs from the memory
- Duplicate logging protection
- Reverse engineering protection
- Not functional in the CIS
According to Kaspersky, various threat actors rented the malware and used it as a part of other malware attack chain. The attackers using the malware in attacks aimed at delivering KeyBase or Agent Tesla. In some cases, they combined the stealer component with other malware families and protected it with other packers, such as Themida.
After exfiltrating the data, BloodyStealer will send them to a C&C server, then cybercriminals can access the stolen info by using Telegram or via a web panel.
BloodyStealer is used in attacks targeting victims from Europe, Latin America, and the Asia-Pacific region.
Kaspersky concludes that with malware’s efficient anti-detection techniques and attractive pricing, it is sure to be seen in combination with other malware families soon. They added that due to its features such as extraction of browser passwords, cookies, and environment information as well as grabbing information related to online gaming platforms, BloodyStealer provides value in terms of data that can be stolen from gamers and later sold on the darknet.