Threat Research

Password stealer disguised as private Fortnite server spreading via Discord

Securonix

Avast researchers uncovered a password stealer disguised as a private Fortnite server, distributed primarily via Discord with TikTok tutorials guiding victims to download it. The campaign targets Russian gamers, stealing credentials and other information saved in the browser, crypto wallets, clipboard contents, and screenshots, and exfiltrating the data to a C2 server at 95.142.46[.]35:6666. #FortnitePrivateServer #StormCommunity

Keypoints

  • The malware is a password stealer masquerading as a private Fortnite server, spread mainly on Discord with TikTok tutorials teaching victims to join and download.
  • The campaign is Russian-language, targeting Russian gamers, with Avast reporting 2,000+ protected since the start of the year.
  • It steals browser credentials and other data (saved passwords, cookies, autofill, credit cards) and crypto wallet data, plus clipboard contents and screenshots.
  • Stolen data is exfiltrated to the author’s C2 server as an unencrypted ZIP file; a Base64-encoded log is also sent.
  • Targets include credentials from Steam, Discord, NordVPN, OpenVPN, FileZilla, TotalCommander, Telegram, and other apps, plus multiple cryptocurrency wallets.
  • The campaign uses social platforms (Discord and TikTok) for delivery and includes a server called “Storm Community” with about 300 users.

MITRE Techniques

  • [T1566.003] Phishing – Delivered via social platforms to entice users to download the malicious file. “The malware is being heavily propagated on communications platform Discord. The researchers also found TikTok “tutorial” videos describing how potential victims can join the Discord server, disable their antivirus, and download the malicious file.”
  • [T1555.003] Credentials from Web Browsers – Steals credentials and other information saved in the browser, including cryptocurrencies from wallets. “The password stealer mainly focuses on credential theft, stealing cryptocurrencies, extracting information saved in the browser (such as passwords, cookies, and credit cards), as well as stealing clipboard contents and taking screenshots.”
  • [T1113] Screen Capture – Takes screenshots as part of data collection. “take screenshots.”
  • [T1115] Clipboard – Steals clipboard contents. “as well as stealing clipboard contents and taking screenshots.”
  • [T1082] System Information Discovery – Collects OS version, build, install date, and product ID. “OS information: OS version, OS build, System install date, System product ID.”
  • [T1083] File and Directory Discovery – Checks for cryptocurrency wallets by common file locations and searches for installed browser extensions. “It checks for cryptocurrency wallets, either by their common file location, or by searching for installed browser extensions.”
  • [T1041] Exfiltration Over Unencrypted/Non-Credentialed Channel – Data sent as unencrypted ZIP to C2 server. “All the stolen information is sent to the author’s C&C server … in the form of an unencrypted .ZIP file”
  • [T1027] Obfuscated/Compressed Files and Information – Logs encoded in Base64. “a log file, encoded using Base64, informing the author about what was stolen.”

Indicators of Compromise

  • [Hash] d6ada0c094ce3db0caf632bfb650de254304ccb64dc9f7973056e72076b6d724, b628e5040eb1fb724a84f54cb68abf4aeebbf0ee0e3b8af0a446957a341dc4a9
  • [File name] ShtromV6.rar, ShtormV8.rar
  • [Mutex] 100001111100000101101010001010010110111100000111100101011111
  • [C&C server] 95.142.46[.]35:6666

Read more: https://blog.avast.com/password-stealer-disguised-as-fortnite-server-spreading-on-discord