Game Booster is the name of a program that supposed to speed up computers for a smoother gaming experience. Attackers have created a fake site that impersonates the legitimate Smart Game Booster site but instead distributes a Trojan that steals your passwords, cryptocurrency wallets, browser history, and much more.

The fake site is a copy of the pcgameboost.com website that provides a legitimate software program called Smart Game Booster. The fake version of the site is identical except for the fact that the download link installs a Trojan instead of the intended software.

A relatively new Trojan but has been seen in other campaigns targeting gamers. It is unique in that it does not install any persistence mechanisms so it only runs once and then removes itself. Running the Trojan allows it to steal saved login credentials in the browser, browser profiles, cryptocurrency wallets, records from VPN clients, FTP programs, text documents, desktop files, and Telegram sessions. It can also take a screenshot of the active desktop at the time of execution. This information is then sent to the attacker’s C2 server, which can then later be used to perform a variety of attacks.

How does it work

The Loki++ Trojan Trojan is a relatively new malware that is being sold on underground hacker and criminal forums.

While this particular sample contains strings identifying it as “Loki++ Stealer 2.0 Coded By Loki”, security researcher Vitali Kremez told Bleeping Computer that this is a “modified/altered Baldr/Arkei stealer”.

Unlike other malware, Loki++ does not have any persistence, which means it will only run once and then remove itself.

When run, though, it will attempt to steal saved login credentials in the browser, browser profiles, cryptocurrency wallets, records from VPN clients, FTP programs, text documents, desktop files, and Telegram sessions. In addition, the Trojan will create a screenshot of the active desktop when executed.

This information is then uploaded to the attacker’s command and control server, where it can be retrieved later.

As the infection is executed only once, does not display an install screen, and deletes itself after, victims would think there is a problem with the program as nothing would be shown on the screen. The attackers, though, would now have access to their saved login credentials and other information and could use it for a variety of attacks.

Therefore, it is important for users to research a site that you download files from before doing so. If the site has a good reputation, is associated with the program in some manner, then it is most likely safe to download.

If there is little or no information about a site, though, it should be avoided.

Recommendations

  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
  • Keep applications and operating systems running at the current released patch level.

Summary

NameFake Game Booster Virus
Threat TypeTrojan, Password Stealing Virus, Banking Malware, Spyware
Detection Names (gamebooster.exe)Avast, BitDefender, ESET-NOD32, Kaspersky, Full List (Virus Total)
Malicious Process NameGamebooster.exe
PayloadBaldr
SymptomsTrojans are designed to stealthily infiltrate victim’s computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution MethodsInfected email attachments, malicious online advertisements, Social engineering, software cracks.
DamageStolen banking information, passwords. identity theft, victim’s computer added to a botnet.
RemovalTo eliminate Fake Game Booster virus our malware researchers recommend scanning your computer with Spyhunter.