Trojan.Scavenger Disguises Itself as Game Cheats and Mods

Experts at Dr.Web reported on the Trojan.Scavenger malware family, which attackers use to steal data from cryptocurrency wallets and password managers on Windows users. Legitimate applications are used to launch the malware, and vulnerabilities related to DLL Search Order Hijacking are exploited.

In their report, researchers remind us that in 2024 they discovered an attempt to conduct a targeted attack on a Russian freight railway operator. At that time, the attackers exploited a vulnerability in the “Yandex Browser” related to DLL search order hijacking.

The issue lies in the way Windows applications search for necessary libraries upon launching. They look for these libraries in various locations and in a specific order. Attackers exploit this by placing malicious DLL files in locations where the search will occur first (for instance, in the installation directory of the targeted software). These malicious files are given the names of legitimate libraries, which are located in directories with lower search priority. As a result, vulnerable programs load the malicious DLLs first.

After studying the 2024 incident, experts implemented functionality into Dr.Web antivirus products that allows for monitoring and preventing the exploitation attempts of such vulnerabilities.

Now, while studying the telemetry of this function, analysts discovered attempts to download a previously unknown malware, Trojan.Scavenger, into several client browsers. As a result, two infection chains with different numbers of involved Trojan components were identified.

In a chain of three loaders, the starting component is Trojan.Scavenger.1, which is a DLL. This malware can be distributed as part of pirated games or disguised as various game patches, cheats, and mods through torrents and gaming-related websites. Yes

When the malware disguises itself as a patch, Trojan.Scavenger.1 spreads as a ZIP archive along with installation instructions. In these instructions, attackers encourage the potential victim to place the “patch” in the directory of the game Oblivion Remastered — supposedly to enhance its performance.

The name of the malicious file was not chosen at random: in Windows, a legitimate file named umpdc.dll is located in the system directory %WINDIR%\System32. It is part of the graphics API used by various applications and games.

If the installed version of the game on the victim’s device has an unpatched vulnerability, the copied malicious file will automatically launch alongside it.

It is noted that the version of the game Oblivion Remastered, current at the time of the study, correctly handled the search sequence for the library umpdc.dll. Therefore, in this particular instance, Trojan.Scavenger.1 could not automatically launch and continue the infection chain.

Upon success, the trojan downloads from a remote server and launches the next stage of the attack — the loader Trojan.Scavenger.2 (tmp6FC15.dll). This loader, in turn, downloads and installs other modules of the family into the system — Trojan.Scavenger.3 and Trojan.Scavenger.4.

Trojan.Scavenger.3 disguises itself as version.dll, which is copied into the directory of one of the targeted Chromium-based browsers. The DLL has the same name as one of the system libraries in the %WINDIR%\System32 directory.

Browsers vulnerable to DLL search order hijacking do not verify the source of the library being loaded with a given name. Since the trojan file is located in their directory, it takes precedence over the legitimate library and loads first.

Attempts to exploit this vulnerability have been recorded in Google Chrome, Microsoft Edge, Yandex Browser, and Opera.

Once launched, Trojan.Scavenger.3 disables protective mechanisms of the target browser (for example, deactivating its sandbox), resulting in the disappearance of isolation for executing JS code. Additionally, the trojan disables extension verification in the browser. It identifies the relevant Chromium library by the presence of the exported function CrashForExceptionInNonABICompliantCodeRange. The malware then searches for the extension verification procedure in this library and applies the corresponding patch.

After that, the malware modifies the targeted extensions installed in the browser, receiving the necessary modifications in the form of JavaScript code from a control server. The affected extensions include the cryptocurrency wallets Phantom, Slush, and MetaMask, as well as the password managers Bitwarden and LastPass.

In this case, it is not the originals that are modified, but copies, which the trojan initially places in the %TEMP%/ServiceWorkerCache directory. To ensure the browser “picks up” the modified extensions, the malware intercepts the functions CreateFileW and GetFileAttributesExW, substituting the local paths to the original files with paths to the modifications (referred to as Trojan.Scavenger.5).

The modifications themselves are available in two versions:

• a timestamp is added to the cookie;
• user data is sent to the command server.

From cryptocurrency wallets such as Phantom, Slush, and MetaMask, attackers steal private keys and seed phrases. From the Bitwarden password manager, they pilfer authorization cookies, while from LastPass, they steal passwords added by the victims.

In turn, Trojan.Scavenger.4 (profapi.dll) is copied into the directory of the Exodus cryptocurrency wallet application. The malware launches automatically with the program, exploiting a vulnerability known as DLL Search Order Hijacking (the legitimate system library profapi.dll is located in %WINDIR%\System32, but due to the vulnerability, the load priority at wallet startup is given to the malicious file).

Once launched, Trojan.Scavenger.4 intercepts the v8::String::NewFromUtf8 function in the V8 engine used for JavaScript and WebAssembly. With this capability, the malware tracks JSON data generated by the target application and can obtain various user data.

In the case of Exodus, the trojan searches for a JSON file containing the key passphrase, and then reads its value. As a result, it obtains the user’s mnemonic phrase, which can be used to decrypt or generate the private key for the victim’s cryptocurrency wallet. Next, the trojan locates the private key seed.seco from the cryptocurrency wallet, reads it, and sends it along with the previously obtained mnemonic phrase to the hackers’ server.

Researchers also examined a chain consisting of two downloaders. It is almost identical to the first one, however, in the distributed archives with “patches” and “cheats” for games, instead of Trojan.Scavenger.1, there is a modified version of Trojan.Scavenger.2, presented not as a DLL file but as a file with an .ASI extension. Essentially, this is a DLL with a changed extension.

Once the user copies the file into the specified directory, it will automatically launch with the start of the target game, which will perceive it as its own plugin. From this point, the infection chain repeats the steps from the first variant.

Experts report that most trojans in the family share a number of common characteristics. One of these is a standard procedure for checking the environment to determine if it is running in a virtual environment or in debug mode. If the malware detects signs of an artificial environment, it terminates its operation.

Another distinguishing feature of the Trojan.Scavenger family is its unified algorithm for communicating with the command and control server. To establish communication, the trojans undergo a process of key creation and encryption verification.

The process consists of sending two requests. The first is necessary to obtain a part of the key, which is used to encrypt certain parameters and data in specific requests. The second is performed to verify the key and contains certain parameters, such as a randomly generated string, the current time, and an encrypted value of the time. The command server responds to it with the previously received string. All subsequent requests include time parameters, and in their absence, the server refuses to establish a connection.