"Private server" spread by The Canthan Sniper

Hello,

A few hours ago, a user named The Canthan Sniper shared a MediaFire link with what he stated was a private server for Guild Wars.

I have analyzed this file, and can confirm that it does nothing and is nothing more than a cheap way to try and get your login-credentials for your account:

What you can see here is that once you enter in your account details, it contacts the Gmail SMTP server. The only logical reason to do that, is to send an e-mail... just after you typed in your account details.

Never trust such a thing. If you need to enter your credentials, remove it immediately.

If you happened to have used it, please change your password immediately. Also, enable TFA if you are able to.

Since there is no doubt that it is malware, and the story that the user told was fake, this user has been permanently banned from Legacy.

For the record, this is how this thing looked like:

- Iaerah

I investigated somewhat further on the executable, it is (as I suspected), built with AutoPlay Media Studio... which is an application designed to create CD-menus.

This tool seems to have a plugin to send mails with, which is (seeing from the resources in the file) loaded in the file:

STRINGTABLELANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US{61840, "Unable to load mail system support."61841, "Mail system DLL is invalid."61842, "Send Mail failed to send message."}

That, combined with the SMTP entries in the logs, denote that this is indeed 100% malicious (and not even written that well, with a basic tool. I had hoped for something more).

So, this will be the final write-up I hope about the malware.

The malware itself presents itself as a 92 MB file, but in reality it's about 10 MB big. The reason why this file is so large, is because it contains a video (containing a trailer for GW) which is 82.7 MB big.

It also contains a few images, which you can see when the tool runs, and some that aren't used.

With my analyzing of the malware, I can verify that it doesn't contain anything else like a private server or does anything even close like it reports to.

This has been written with the single purpose of collecting login information about Guild Wars accounts.

I went ahead and unpacked the malware, which is in reality just a AutoPlay Media Studio application which is used to build interactive CD-menus (when that was still relevant).

This is the file unpacked:

The video file that I mentioned is here:

There are some image files included, including Pyre Fierceshot renamed as "Kyle":

At this point, we don't see anything special - however, with my unpacking, I was able to go through the code of the application. Being built in AMS, it's far from real programming. In fact, it uses a plugin to handle the mail sending, which I suppose is the reason why this tool was chosen in the first place.

When you run the application, it initially doesn't do anything until you get to the login-page. Going through the code, I can confirm that the only thing it does, is to send an e-mail (more on that later). If the e-mail is send succesfully, it will display that the server was installed succesfully:

It will then display a page with a button, which just gives an error when clicked upon.

So, in reality, all it does is send an e-mail using Gmail. That opens up more information and more perspective: you can't send mails using Gmail without authentication, so the person who wrote this, uses a Gmail account that is linked to this. I hope for this person that he uses a special Gmail account for this that can't be linked to his real account, since these credentials are up for grabs in the malware and with a hex-editor you can find them quite easily.

Since I do not have any respect for hackers, and since this information can be found in the malware itself, I am going to (partially) share this information:

• E-mailaddress "from" is set to guildwars@gmail.com. That doesn't mean that this account is owned by the hacker, just that the mails appear to be sent by guildwars@gmail.com.
• The e-mails are sent to official.likwid.gaming@gmail.com. This is the e-mailaddress that the hacker itself is going to use to receive the mails upon.
• The e-mails sent contain just this: the entered email and the entered password, seperated by a //.
• The subject is GW Data
• The password of the account used to send the e-mails is 229******** (Censored, but you know the password is correct).

Using Gmail has been beyond stupid on the behalf of the makers of this malware. Both Gmail abuse has been informed of this and I have filed a report with the police.

I can provide the malware sources to anyone who asks (politely) for them.

With this, I mainly want to send out the signal that we at Legacy do not tolerate hackers, malware and any attemps made to do so on Legacy will be met with the fiercest resistance that I can bolster.

I'll protect this community with all the powers that I have.

- Iaerah