PlugX Malware Found in Official Releases of League of Legends, FIFA Online 3

Games have always been a popular social engineering lure to trick users into downloading malware into their PCs. Cybercriminals try to package their malware to look as authentic and legitimate as possible. But sometimes, they go the extra mile and package their malware with the legitimate game.

Compromised Official Releases

This was certainly the case for PC users in a recent incident involving the online games League of Legends (LoL), Path of Exile (PoE), and FIFA Online 3. Variants of the remote access Trojan (RAT) PlugX were found in the official releases of the three games, and appeared to target users based in certain countries in Asia.

Players may unwittingly trigger the infection chain by downloading the legitimate installer or updates for the game itself. The compromise game launcher will then drop three files:

A legitimate game launcher
A “cleaner” that overwrites the compromised launcher with the legitimate one
A dropper installs PlugX binaries

The cleaner file could be seen as one way of covering up any traces of malicious activity. In the end, the victim will only see two malicious files, NtUserEx.dll and NtUserEx.dat (both detected as BKDR_PLUGX.ZTBL-EC).

PlugX allows remote users to perform malicious and data theft routines on a system without the user’s permission or authorization. PlugX variants often target legitimate apps so the use of these games is not new. One marked difference is that this PlugX variant created its own autostart service rather than relying on the legitimate app’s.

A closer look reveals that the string “Cooper” can be found in the malware’s body. No coincidence then that the name “Lee Cooper” can be found in the registrant information of the related command and control (C&C) server.

Figure 1. The string “Cooper” can be found in the malware

While checking the certificate, we noticed that the hash value applied to the suspect file was VALID, which means that the “signing tool” was used to pair with the compromised binary’s hash. The clean game launcher, on the other hand, has an invalid digital signature.

We also noticed that the compromised LoL and PoE launchers have invalid digital certificates.

Figure 2. Legitimate application with invalid digital signature (left) and compromised application with a valid digital signature (right)

Tracing the Source

These compromised official releases were traced back to Garena, a consumer Internet platform provider in Asia. Garena has partnerships with game developers such as Riot Games, S2 Games, and Electronic Arts, allowing the company to have exclusive releases to certain games.

In an official post, Garena stated that “computers and patch servers were infected with Trojans. As a result, all the installation files distributed for the games League of Legends and Path of Exile are infected.” Further investigation by our engineers found that FIFA Online 3, another Garena release, was also compromised.

Taiwan and Singapore, Most Affected

Based on analysis, it seems that only the Taiwanese versions of the LoL and PoE installers were compromised. FIFA Online 3 victims are mostly from Singapore, as the download link is hosted in the same country.

Feedback from the Trend Micro™ Smart Protection Network™ supports these findings. However, we have also seen victims from other Asian countries such as Thailand, Malaysia, and Hong Kong. Analysis of the C&C activity shows that these countries are part of the top countries which accessed the C&C server.

Figure 3. Affected countries

The activity soon died down after Garena released their official announcement.

Protecting the Gamers

Currently, the installers on Garena’s website and other associated links have been verified to be clean since December 29, 2014. Trend Micro has released a clean-up tool for related infections that gamers may use. Garena has also recommended several steps to protecting player accounts: