Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 15th, 2013




    ONLINEG, a spyware known to steal online gaming credentials, appears to be adding backdoors to its resume. We found a variant (specifically TSPY_ONLINEG.OMU) that aside from the usual data theft routine, also downloads a backdoor onto the infected system, making it vulnerable to more damage.

    TSPY_ONLINEG.OMU was recently found on certain South Korean websites, which were compromised to host the said malicious file. Based on our analysis, the spyware is possibly an updated version of an old variant detected as TSPY_ONLINEG.ASQ, which first existed about a year ago.

    Like any online gaming spyware, TSPY_ONLINEG.OMU steals user accounts and credentials of specific online games. But in addition to this, if the user visits the login pages for the administrator consoles of websites that are part of certain industries, it downloads a keylogger/backdoor (BKDR_TENPEQ.SM). This allows the attacker to steal the credentials used for these portals.

    The companies targeted by these attack are all based in South Korea and belong to the following industries:

    • News
    • TV
    • Radio
    • Finance
    • Shopping
    • Gaming
    • Advertising

    Online gaming’s popularity in South Korea is well-known, thus it is no surprising that the people behind this attack used TSPY_ONLINEG.OMU. However, the use of ONLINEG may also have been an attempt to disguise the actual intent of the malware. Because this particular malware family is “known” to be focused on online gaming theft, without looking into the actual code people may underestimate its potential threat.

    This incident is also another example of the online bad guys’ continuous efforts to revamp and improve old but reliable threats. Thus it is important for users to stay updated with the latest developments in online security.

    As of this writing, the affected South Korean sites are now clean and no longer host the said malware.

    With additional insights from Threat researcher Eruel Ramos

     
    Posted in Bad Sites, Malware, Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice