The unofficial website gf.ignitgames[.]to was recently observed offering a version of Aeria Games' anime-themed MMORPG title Grand Fantasia that was contaminated with Joao. (Image not from game.)
The unofficial website gf.ignitgames[.]to was recently observed offering a version of Aeria Games' anime-themed MMORPG title Grand Fantasia that was contaminated with Joao. (Image not from game.)

Attackers have been compromising popular online role-playing games from Aeria Games on unofficial websites, in order to infect players with a newly discovered malware downloader called Joao, researchers from ESET have reported.

Joao is programmed to download any number of malicious modules, including components with backdoor, spying, and DDoS capabilities. The malware uses server-side logic to deter which components it sends to any given infected machine, ESET explains in an Aug. 22 blog post.

Headquartered in Berlin, Aeria Games specializes in MMORPGs (massively-multiplayer online role-playing games) and publishes such titles as Echo of Soul and Wartune.

Most recently, ESET found that the unofficial website gf.ignitgames[.]to was offering a version of Aeria anime-themed MMORPG title Grand Fantasia that was contaminated with Joao. Other Aeria MMORPGs have previously been similarly affected, but the unofficial websites offering these titles have gone inactive or had the malicious downloads removed, the blog post states.

In an email, Robert Lipovsky, senior malware researcher at ESET, told SC Media that previously impacted titles included Aura Kingdom, Dragon Hunter and Twin Saga.

According to ESET, attackers modified these compromised games so that they execute the malicious library mskdbe.dll, aka Joao, when a user runs the game launcher. At that point, the downloader sends the attackers' command-and-control server basic information about the infected computer, including its device name, OS version and user privilege data.

Meanwhile, the game is unlikely to detect the suspicious activity taking place in the background because the tainted game otherwise operates exactly as it should. "Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game's installation folder," the blog post notes.

ESET has detected attempted Joao infections around the world, with particularly high concentrations in Mexico, South America and Southeast Asia. To avoid playing the role of the victim, ESET recommends favoring official sources of games and keeping games updated.