Acronis Threat Research Unit discovered a malware campaign using Leet Stealer, RMC Stealer, and Sniffer Stealer disguised as fake indie games distributed mainly via Discord. These stealers target browser data, credentials, and Discord tokens, enabling attackers to perform extortion, impersonation, and financial theft. #LeetStealer #RMCStealer #SnifferStealer #Discord
Keypoints
- Leet Stealer, RMC Stealer (a modified Leet Stealer), and Sniffer Stealer are distributed as fake indie game installers via Discord and fraudulent websites.
- The fake games Baruda Quest, Warstorm Fire, Dire Talon, and WarHeirs use stolen branding and promotional materials to trick victims.
- The malware targets browser cookies, saved passwords, form data, Discord tokens, Steam, and BetterDiscord credentials for data exfiltration.
- RMC Stealer includes sandbox detection techniques to evade analysis and displays fake error messages to deceive victims.
- Baruda Quest’s Electron-based malware contained unobfuscated source code, enabling detailed technical analysis of RMC Stealer’s operations.
- The malware uploads stolen data to file sharing platforms like gofile.io and has capabilities to download additional malicious payloads.
- The campaign shows a geographic concentration in Brazil and the United States but likely operates globally leveraging Discord’s popularity.
MITRE Techniques
- [T1497] Virtualization/Sandbox Evasion – The malware performs sandbox detection by blacklisting IP addresses, hostnames, GPUs, BIOS, RAM size, and running VM to prevent running in sandboxed environments (‘sandbox detection using blacklists targeting IP addresses, hostnames, usernames, GPUs, operating systems and running processes’).
- [T1056] Input Capture – The stealers harvest browser cookies, saved passwords, and form data by attaching to debugged browser instances (‘running the browser in debug mode, allowing it to attach to the process and extract cookies’).
- [T1071] Application Layer Protocol – Data exfiltration is done via uploading stolen data archives to file sharing services such as gofile.io, file.io, catbox.moe, and tmpfiles.org (‘uploaded to gofile.io followed by notification to the C2 server’).
- [T1114] Email Collection – Credentials and tokens for Discord, Steam, and BetterDiscord are harvested to enable account takeovers and further distribution of malware (‘targets Discord tokens that grant full access to user accounts’).
- [T1204] User Execution – Malware is disguised as fake indie game installers and promoted through social engineering tactics on Discord (‘malware disguised as indie game titles promoted through fraudulent websites and fake YouTube channels’).
- [T1105] Ingress Tool Transfer – The malware can download and execute additional malicious payloads after initial infection (‘malware has capability to download and run other malicious files’).
Indicators of Compromise
- [File Hash] Example stealer samples – BarudaQuest.exe (RMC Stealer) SHA256: 813e5923e6d4df56055f5b5200db2e074e89f64dea3099e61fbde78c0fc23597, BillieBust.exe (Sniffer Stealer) SHA256: 567fb96e8b101abc45f2dfba470ea8a7298063f7428409d8b7e5c8f4326b6dc0, and over 40 more hashes.
- [Domains] Fake game websites – hxxps://www.barudaquest.com/, hxxps://warstormfire.com/, hxxps://diretalon.com/, and hxxps://warheirs.com/ used to promote and distribute malware.
- [Download URLs] Malicious download links on Discord CDN and Dropbox – e.g., hxxps://cdn.discordapp.com/attachments/1308872370601070710/1353442772497072158/BarudaQuest.exe, hxxps://www.dropbox.com/scl/fi/eg0bxaplyr87vbt7t46m8/DireTalon_1.2.8.rar with password protection ‘DT2025’.
Read more: https://www.acronis.com/en-us/tru/posts/threat-actors-go-gaming-electron-based-stealers-in-disguise/