AhnLab Security Center

Search

StarCraft or ‘Crafty’?

04-13-2017

Malware has recently been discovered that targets StarCraft fans who have been waiting for the remastered version of the popular video game. Blizzard Entertainment Inc. recently announced the re-release of StarCraft with improved 4K UHD Graphics, high-quality audio and other additional features. These announcements gave rise to malware disguised as free downloads for StarCraft: Remastered.

 


  [Figure 1] StarCraft: Remastered

 

The malware was distributed via a Rip Version of StarCraft, i.e., a pirated version, which does not require proper installation for activation, but instead, simply offers a free download of the illegal copy through the internet.  

 


 [Figure 2] StarCraft Rip Version file

 

Users are more likely to be exposed to malicious attacks since malware conceal themselves as Rip Version files that most gamers prefer to download. 

 


[Figure 3] BroodWar.exe activates the malicious file

  

BroodWar.exe located in the Rip Version file activates StarCraft.exe from a specific path, which is a malware disguised as StarCraft executable file.

 

 

[Figure 4] Malicious StarCraft.exe activation

 

Since malicious StarCraft.exe was created by .Net FrameWork, the malware enables itself to hide from the user by changing its attribute to “hidden” as soon as it activates. In the next step, the malware self-replicates at the temporary path and names itself after a local utility program’s executable file that is commonly used.

Afterwards, the malware not only sets up simultaneous activation with the system by adding itself to the Run registry key, but also attempts to access a specific IP address.

 

Through decompiling and unpacking the malware, security researchers at AhnLab have confirmed that StarCraft.exe malware executes the following functions:

- Steals and controls data from the infected system through C&C commands

- Downloads additional malware 

- Disables anti-virus programs

 

The relevant aliases identified by AhnLab’s security solutions are as below:

<Alias identified by V3 products>

Trojan/Win32.Bladabindi

<Alias identified by MDS>

Malware/MDP.AutoRun 

 

Popular social issues and events not only draw the public’s attention, but also attract malware that disguises its file by naming itself after the issue or event. Those names manipulate people into downloading the malware.

Therefore, it is necessary to keep these lists in mind before activating any software you have downloaded to your PC.

◆ Run anti-virus programs to check the stability of the file before activation.

◆ Back up important data on a regular basis.

◆ Downloads software files from official websites. Avoid illegal downloads.

 

The proverbial “Prevention is better than the cure” applies here. Abiding by these safety guidelines will help you prevent fraudulent StarCraft malware from stealing all of your important data and your chance to play StarCraft: Remastered.

top