The Java Autorun Worm, Java.Cogyeka (3 of 3)
As I wrote in parts one and two of this series of blogs, Java.Cogyeka uses an autorun.inf file to propagate and download an additional module. I was able to get the downloaded module, based on a Java application, even though it took over a week because of the difficulty in establishing a connection with the server. The downloaded module, like the main module, tries to protect itself through obfuscation with Zelix KlassMaster. After investigating the downloaded module, I discovered that the purpose of Java.Cogyeka is to steal information from a video game on the compromised computer.
The targeted game
The game being targeted by Java.Cogyeka is League of Legends, a free-to-play video game published by Riot Games. While the game is free-to-play, users can purchase additional characters and character skins with real money. Java.Cogyeka may target League of Legends because of these real money transactions.
Infostealer
The downloaded module attempts to steal the League of Legends player’s account information and keystrokes to gain control of their account. While the purpose of the threat is to steal information related to the League of Legends game, it may also steal additional information because of its keystroke-stealing capabilities.
Stealing keystrokes
The downloaded module drops two types of DLL files, a 32-bit version and a 64-bit version. This is done using the same technique that the threat uses for obtaining the drive letters of the removal drive in the main module, as described in the second Java.Cogyeka blog. The Java system does not permit Java applications to obtain keystroke information from other processes. The malware may steal passwords, but it needs a native call, so it drops the Windows DLL file from the Java application.
The SetWindowsHookEx API is used to log keystrokes and mouse operations while WH_KEYBOARD_LL and WH_MOUSE_LL are used as hook types. The stolen keystrokes and mouse operations are then sent to a remote server.
Figure 1. Downloaded module steals keystrokes and mouse operations
Stealing account information
The malware steals keystrokes in the hopes of obtaining a player’s League of Legends user name and password. However, the League of Legends login window has an option to remember a player’s user name and, if a player has selected this option, Java.Cogyeka cannot obtain the player’s user name. To get around this, the malware also attempts to steal a file that contains the user’s account information.
Figure 2. League of Legends login screen
To steal the user’s account information, the malware tries to search for the following folder on all drives:
- Riot Games/League of Legends/RADS/projects/lol_air_client/releases
This folder contains a folder with the name of the version number of the game, for example “0.1.2.0.” The malware traverses folders at the version folder searching for the following path:
- deploy/preferences/global/global.properties
This file contains the game settings as well as the player’s user name that is used to log in to the game.
Sending the stolen information
Once the downloaded module has obtained the login information, it sends it to the domain Jkl.no-ip.biz on TCP port 1087.
This server name has been deactivated and is no longer accessible. However, both the server name and port number are hardcoded into the module unlike the command-and-control server name and port number, and the stolen information is encrypted.
Figure 3. Malware observed worldwide as the targeted game is played all over the world
Conclusion
In this series of blogs, I have discussed the propagation and information-stealing functions of Java.Cogyeka and how it uses an obfuscation tool to protect itself from detection by security scanners. While the malware has a specific target, the video game League of Legends, other information may also be stolen through the captured keystrokes and mouse operations. Java.Cogyeka may also update itself because it downloads an additional Java module. We will continue to observe and investigate this malware.
I am left wondering why the malware requires the USB spreading functionality. The purpose of this malware is to steal information from an online game. The League of Legends is a type of game whereby users connect to a game server in order to play online. There is a possibility that it attempts to infect computers at Internet cafés. In this case, game players or administrators of the Internet café may use a USB storage device. On the other hand, a user may play the game with his or her friends at the same place and use USB storage devices to share files. It is possible that the malware aims to take advantage of such a situation.
Symantec detects these files as Java.Cogyeka, Java.Cogyeka!autorun, and Java.Cogyeka!gen1. We recommend that users keep their security software up to date.