Scavenger Trojan Targets Crypto Wallets via Game Mods, Browser Flaws

Scavenger Trojan Targets Crypto Wallets via Game Mods, Browser Flaws

The latest report from Doctor Web has detailed a malware campaign involving a new family of trojans called Trojan.Scavenger (Scavenger Trojan). These aren’t your typical malicious files that simply run in the background and steal data; they’re carefully structured to abuse a vulnerability in how Windows loads certain components. The attackers used this to infect targeted systems and extract sensitive information, especially from crypto wallets and password managers.

It all started when Doctor Web looked into a targeted attack on a Russian enterprise. During the investigation, their team noticed the attackers were taking advantage of DLL Search Order Hijacking.

This method lets malicious files get into software by faking to be legitimate components. The trick is placing a fake DLL in the same folder as the target application, giving it priority over the real system version. Once launched, the fake file runs as if it were part of the original app, giving it access to everything the app can reach.

According to Doctor Web’s report, after adding protection against this technique to their antivirus suite, the company began collecting telemetry data. That’s when they noticed some users were being served unknown malicious files through their browsers.

This led the researchers to the discovery of the Trojan.Scavenger campaign. It later became clear that attackers were distributing this malware in multiple stages and using various bait methods like game patches and cheats to lure victims into running it.

One infection route used a three-stage loader chain. The first component, Trojan.Scavenger1, was disguised as a performance patch for the game Oblivion Remastered. Victims were instructed to drop the fake DLL into the game’s folder.

The file name was deliberately chosen to match a legitimate Windows DLL so it would get loaded instead of the real one. But in this specific game version, the exploit failed because the developers had properly configured the loading process. Still, the same trick could succeed in other programs.

Researchers further noted that when the Trojan does manage to run, it downloads the next stage, Trojan.Scavenger.2, which then pulls in additional modules, Trojan.Scavenger.3 and Trojan.Scavenger.4. One of these, Trojan.Scavenger.3, pretends to be a system library and gets placed into the folder of Chromium-based browsers like Chrome, Edge, Opera, and Yandex. Because of the loading flaw, the browser ends up running the malicious file instead of the real system version.

This version of the Trojan tampers with the browser’s internal security features. It disables the sandbox and blocks the check that verifies browser extensions. Then it edits copies of popular extensions, including the following:

  • Slush
  • Phantom
  • LastPass
  • MetaMask
  • Bitwarden

The originals remain untouched, but the browser is tricked into using the tampered versions. These altered versions are designed to silently send data, such as mnemonic phrases and stored passwords, to the attacker’s server.

Meanwhile, Trojan.Scavenger.4 similarly targets the Exodus crypto wallet. It gets loaded when the app starts, using the same DLL hijacking method. Once inside, it taps into the app’s engine to scan for key data like the mnemonic phrase and the file storing the private key. That information is then sent to the attacker.

In another version of the campaign, the attackers skip the first trojan and start directly with a modified Trojan.Scavenger.2. This one uses a file with an .ASI extension, often associated with game mods or plugins. For example, users might be told to install a file called “Enhanced Native Trainer.asi” into their GTA game folder. The game recognises it as a plugin and runs it automatically, allowing the infection chain to continue from there.

Across all versions of this malware, the trojans share some key behaviour patterns. They check if they’re being launched inside a virtual machine or debug environment and will stop working if they detect one. This is a common method used to avoid detection during security research.

Another shared feature is how they communicate with their control server. They use a two-step handshake to set up an encrypted channel, first asking for part of the encryption key, then verifying the connection by sending encrypted timestamps. Any requests sent without this setup are ignored by the server.

Doctor Web reached out to the software developers whose apps were vulnerable, but most of them declined to fix the DLL hijacking flaw. Therefore, users must exercise caution and avoid downloading apps from third-party stores, refrain from using pirated games and keep their anti-virus software updated.




Source link