If you just encountered a new Pokémon card game online that promises to give you non-fungible tokens (NFTs), think twice before clicking it, as it could contain malicious software.
Threat actors are currently using a legitimate-looking Pokémon game to distribute the NetSupport remote access tool (RAT) and gain control of their systems. Initially uncovered by analysts at ASEC, the fake game markets itself as a new NFT card game where users can play with Pokémon cards and earn profits with their NFT investments.
When users click on the “Play on PC” button on the fraudulent game’s website, an executable file will be downloaded to their device. While the file looks like a game installer, it actually contains the NetSupport RAT.
Once the file is executed, it creates a folder in the %APPDATA% path and creates hidden NetSupport RAT-related files, making it difficult for users to remove the malware. The file also creates an entry in the Startup folder so the malware can run even after every boot.
While the NetSupport RAT is a legitimate program used to give system administrators remote access to users’ computers, the configuration file in this situation contains the threat actor’s command-and-control server address. This means that when NetSupport is executed, it will establish a connection to the threat actor’s NetSupport server, enabling the fraudsters to steal data and install even more malware.
Given how many legitimate NFT trading card games there are online (and the popularity of Pokémon itself), it’s highly plausible for people to fall victim to such an online threat. To protect yourself from such scams, never download or install software from websites you don’t completely trust. Refrain from opening an email attachment or link you received from someone you don’t know and always make sure that your devices and anti-malware software are updated.
Source: ASEC
