Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers access Windows devices through fake Pokémon game

Hackers have launched a fake Pokémon game and are using it as a vessel to distribute a remote access tool (RAT) and gain control of Windows devices.

user icon Daniel Croft
Tue, 10 Jan 2023
Hackers access Windows devices through fake Pokémon game
expand image

Aiming to draw users in on both the popularity of Pokémon and the potential financial gain of NFTs, Pokemon-go[.]io allows users to download what they believe is the game’s installer by clicking the “Play on PC” button.

Instead, those who open the proverbial Poké ball and try to download the game will unknowingly install the NetSupport RAT, allowing bad actors to take control of the victim’s device.

The use of Pokémon as a draw poses an additional risk, with the scam enticing young children, who are less likely to be able to identify a non-legitimate website.

NetSupport RAT is a legitimate program that was designed for use by administrators, allowing them to remotely access devices and fix issues. It is a powerful tool that allows for screen recording, remote control, system monitoring, network traffic encryption and much more.

However, bad actors are well known to abuse the software to gain control of victims’ devices and lock them and steal data in return for a ransom, as well as for other intentions.

Once a victim downloads and runs the “client32.exe” installer, the software is installed in the hidden %APPDATA% path, which is home to important files such as application settings. Furthermore, the software files are set to hidden, making it hard for victims to find.

The Windows Start-up folder is also modified so that it runs upon the system booting up.

The fake game first appeared in 2022, following in the footsteps of a similar scam by the same operators which advertised a file for Adobe Visual Studio.

The AhnLab Security Emergency-response Center (ASEC) discovered the scam, revealing that the executable was originally available on a second website — betapokemoncards[.]io. The second site has since gone offline.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.