Threat Management, Malware, Network Security

Online role-playing games on unofficial websites caught dispensing ‘Joao’ downloader

Attackers have been compromising popular online role-playing games from Aeria Games on unofficial websites, in order to infect players with a newly discovered malware downloader called Joao, researchers from ESET have reported.

Joao is programmed to download any number of malicious modules, including components with backdoor, spying, and DDoS capabilities. The malware uses server-side logic to deter which components it sends to any given infected machine, ESET explains in an Aug. 22 blog post.

Headquartered in Berlin, Aeria Games specializes in MMORPGs (massively-multiplayer online role-playing games) and publishes such titles as Echo of Soul and Wartune.

Most recently, ESET found that the unofficial website gf.ignitgames[.]to was offering a version of Aeria anime-themed MMORPG title Grand Fantasia that was contaminated with Joao. Other Aeria MMORPGs have previously been similarly affected, but the unofficial websites offering these titles have gone inactive or had the malicious downloads removed, the blog post states.

In an email, Robert Lipovsky, senior malware researcher at ESET, told SC Media that previously impacted titles included Aura Kingdom, Dragon Hunter and Twin Saga.

According to ESET, attackers modified these compromised games so that they execute the malicious library mskdbe.dll, aka Joao, when a user runs the game launcher. At that point, the downloader sends the attackers' command-and-control server basic information about the infected computer, including its device name, OS version and user privilege data.

Meanwhile, the game is unlikely to detect the suspicious activity taking place in the background because the tainted game otherwise operates exactly as it should. "Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game's installation folder," the blog post notes.

ESET has detected attempted Joao infections around the world, with particularly high concentrations in Mexico, South America and Southeast Asia. To avoid playing the role of the victim, ESET recommends favoring official sources of games and keeping games updated.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.