Sign up to our newsletter
ESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide. Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer.
To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.
Our research has shown that several other Aeria games have been misused in the same way in the past, however, their corresponding unofficial websites have either gone inactive or had the malicious downloads removed in the meantime.
ESET blocks the website serving Joao malware and has informed Aeria Games about the matter.
Figure 1: Infected version of Grand Fantasia as distributed via gf.ignitgames[.]to
The affected games have been modified to run Joao’s main component – a malicious library mskdbe.dll, detected by ESET’s systems as Win32/Joao.A. When users run the game launcher, Joao is launched along with it.
Upon launching, the Joao downloader first sends basic information about the infected computer – device name, OS version and information on user privileges – to the attacker’s server because the malware keeps its operations “silent” and since the game works as expected, there’s nothing suspicious about the whole infection process from the user’s point of view.
Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game’s installation folder.
Figure 2: Joao downloader in the game’s installation folder
After the communication with the server has been established, server-side logic decides whether and which components will be sent to the victim’s computer. The Joao components we discovered during our research had backdoor, spying, and DDoS capabilities.
Downloading lots of games from different sources and unsure if any of this applies to you? For a quick check of Joao’s presence on your computer, you can try running a search for “mskdbe.dll” – if the search returns a result, your computer has most likely been infected with the Joao malware. If no such file is found, it doesn’t automatically mean you haven’t crossed paths with the malware – the crooks can rename the file at any moment.
Therefore, it’s best to use a reliable security solution to detect the threat and remove it for you – you can also use ESET’s Free Online Scanner.
With the gamescom fair underway, let’s take a look at how you can enjoy gaming without being faced with threats.
ESET’s systems have detected Joao all around the world. The following map shows which countries have been most affected:
Figure 3: Joao detections distribution based on ESET’s detection systems
|Joao downloader : mskdbe.dll – Win32/Joao.A|
|JoaoShepherd.dll – Win32/Joao.B|
|joaoDLL.dll – Win32/Joao.C|
|joaoInstaller.exe – Win32/Joao.D|
|JoaoShepherd.dll (x64) – Win64/Joao.B|
|joaoInstaller.exe (x64) – Win64/Joao.D|
Author Tomáš Gardoň, ESET