ESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide. Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer.
To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.
Our research has shown that several other Aeria games have been misused in the same way in the past, however, their corresponding unofficial websites have either gone inactive or had the malicious downloads removed in the meantime.
ESET blocks the website serving Joao malware and has informed Aeria Games about the matter.
Figure 1: Infected version of Grand Fantasia as distributed via gf.ignitgames[.]to
How does it work?
The affected games have been modified to run Joao’s main component – a malicious library mskdbe.dll, detected by ESET’s systems as Win32/Joao.A. When users run the game launcher, Joao is launched along with it.
Upon launching, the Joao downloader first sends basic information about the infected computer – device name, OS version and information on user privileges – to the attacker’s server because the malware keeps its operations “silent” and since the game works as expected, there’s nothing suspicious about the whole infection process from the user’s point of view.
Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game’s installation folder.
Figure 2: Joao downloader in the game’s installation folder
After the communication with the server has been established, server-side logic decides whether and which components will be sent to the victim’s computer. The Joao components we discovered during our research had backdoor, spying, and DDoS capabilities.
Has my computer been infected? How do I clean it?
Downloading lots of games from different sources and unsure if any of this applies to you? For a quick check of Joao’s presence on your computer, you can try running a search for “mskdbe.dll” – if the search returns a result, your computer has most likely been infected with the Joao malware. If no such file is found, it doesn’t automatically mean you haven’t crossed paths with the malware – the crooks can rename the file at any moment.
Therefore, it’s best to use a reliable security solution to detect the threat and remove it for you – you can also use ESET’s Free Online Scanner.
How to stay safe?
With the gamescom fair underway, let’s take a look at how you can enjoy gaming without being faced with threats.
- Favor official sources whenever possible. The MMORPGs targeted by these particular attackers are just a fraction of what might be lurking under download links on thousands of other unofficial websites and forums distributing games.
- Keep your games updated. Games, too, have vulnerabilities that can be exploited by malicious actors. Make sure you have all available patches applied.
- Use a reliable security solution and keep it turned on while gaming. At any point of your gaming experience, things might take a wrong turn – and you want to be prepared for that. Many security solutions today have a gamer mode option that lets you enjoy your games without interruptions while also keeping your computer protected.
- Keep in mind that there are other threats targeting gamers. Check out ESET’s further security tips for gamers.
ESET’s systems have detected Joao all around the world. The following map shows which countries have been most affected:
Figure 3: Joao detections distribution based on ESET’s detection systems
|Joao downloader : mskdbe.dll – Win32/Joao.A|
|JoaoShepherd.dll – Win32/Joao.B|
|joaoDLL.dll – Win32/Joao.C|
|joaoInstaller.exe – Win32/Joao.D|
|JoaoShepherd.dll (x64) – Win64/Joao.B|
|joaoInstaller.exe (x64) – Win64/Joao.D|
written by Tomas Gardon, ESET We Live Security