ONLINEG, a spyware known to steal online gaming credentials, appears to be adding backdoors to its resume. We found a variant (specifically TSPY_ONLINEG.OMU) that aside from the usual data theft routine, also downloads a backdoor onto the infected system, making it vulnerable to more damage.
TSPY_ONLINEG.OMU was recently found on certain South Korean websites, which were compromised to host the said malicious file. Based on our analysis, the spyware is possibly an updated version of an old variant detected as TSPY_ONLINEG.ASQ, which first existed about a year ago.
Like any online gaming spyware, TSPY_ONLINEG.OMU steals user accounts and credentials of specific online games. But in addition to this, if the user visits the login pages for the administrator consoles of websites that are part of certain industries, it downloads a keylogger/backdoor (BKDR_TENPEQ.SM). This allows the attacker to steal the credentials used for these portals.
The companies targeted by these attack are all based in South Korea and belong to the following industries:
Online gaming’s popularity in South Korea is well-known, thus it is no surprising that the people behind this attack used TSPY_ONLINEG.OMU. However, the use of ONLINEG may also have been an attempt to disguise the actual intent of the malware. Because this particular malware family is “known” to be focused on online gaming theft, without looking into the actual code people may underestimate its potential threat.
This incident is also another example of the online bad guys’ continuous efforts to revamp and improve old but reliable threats. Thus it is important for users to stay updated with the latest developments in online security.
As of this writing, the affected South Korean sites are now clean and no longer host the said malware.
With additional insights from Threat researcher Eruel Ramos