Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Recently, my colleagues have been reporting about tools cybercriminals used in their operations. They reported about Twitter spam and botnet kits, fake point-of-sale (POS) devices, and distributed denial-of-service (DDoS) tools. This time, I will share some information about yet another tool, one that specifically affects Chinese online gamers.

    China is well-known for having a huge population of online gamers. In fact, a recently published study stated that there were 68 million gamers in the country in 2009, which is expected to increase to 141 million by 2014.

    Unfortunately, along with these continuing developments in the gaming industry come opportunities for cybercriminals to make money by selling virtual assets extracted from stolen online gaming accounts.

    Just like the tools previously mentioned, cybercriminals also utilize Trojan generators to steal online game accounts. “响尾马” (Xian Wei Ma or XWM, which means “rattle Trojan” in Chinese) is a popular Chinese Trojan kit. The main highlight of the XWM Kit is that it does not only have Trojan generators but also has a backend server that it uses to receive and sort stolen information, making its operation really convenient for cybercriminals.

    The XWM Kit includes 21 Trojan generators that target popular online games in China, most of which are local games (see Figure 1).

    Click for larger view

    These generators require some configuration before generating a new Trojan. Users need to input the backend server’s URL in order to receive stolen information sent by the Trojan.

    Click for larger view

    Once executed on a victim’s system, the generated Trojan will drop the following files:

    • %system32%{4 random characters}.dll
    • %system32%{4 random characters}.cfg
    • %system32%driversmsacpe.sys

    The .DLL file is loaded in the system’s memory and is used to steal account information as well as to send the information back to the backend server using the following string as URL argument:


    The above-mentioned argument has eight variables, which are used to send back stolen information to the backend server. The variables in the argument are defined as:

    • ‘a’ — area of online game server
    • ‘s’ — server name
    • ‘u’ — user name
    • ‘p’ — password
    • ‘r’ — role
    • ‘l’ — level
    • ‘m’ — virtual money
    • ‘pin’ — PIN code

    The stolen information is then sent to the backend server URL, which is contained in the .CFG file. The cybercriminals then access the backend server, which stores all the stolen information, through a specially developed home page.

    Click for larger view

    The cybercriminals selling this tool even provided a demo page where a list of supposedly stolen information is displayed, showing just how effective the tool is.

    Click for larger view

    The danger in all this lies not only in the attacks that the tool kit can instigate but also in its availability. The more people who use the toolkit, the more people that can be victimized. Thus, more cybercriminals will be motivated to conduct their own operations. This proves yet again how technology can make many things convenient for us while unfortunately doing the same for cybercriminals.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice