Gotta catch ‘em all: cybercriminals target victims with fake Pokémon game


Threat actors capitalize on the popularity of a Pokémon franchise and a buoyant NFT card trading market to spread malware.

Cybersecurity experts at the South Korean AhnLab Security Emergency Response Center (ASEC) have uncovered an online phishing scheme that seeks to distribute malicious software via a fake Pokémon NFT game.

At least two phishing pages impersonating a Pokémon game were found to distribute the NetSupport remote access tool (RAT) in order to gain control of the victims’ devices, according to ASEC.

ADVERTISEMENT

While NetSupport RAT is a legitimate program, it can be used for malicious purposes when in the wrong hands, including the installation of additional malware or information extortion, cybersecurity experts noted.

Neither of the two pages, named “pokemon-go[.]io” and “beta-pokemoncards[.]io,” appeared to be active at the time of writing. Both were designed to imitate an NFT card game based on the Pokémon franchise.

Once users clicked on the “Play on PC” button on the phishing page, they downloaded a file that looked like a game installer but contained the NetSupport RAT, ASEC said.

pokemon_fake_page
Fake Pokemon game page. Image by ASEC

“The downloaded file has both a disguised icon and version information, so users are prone to mistaking this for a game program and running it,” it noted.

The malware creates a new folder in the %APPDATA% path when executed. It also creates hidden NetSupport-related files, making it difficult for users to find them manually. A shortcut in the Startup folder ensures the malware runs even after a reboot.

pokemon_fake_exe
Malware disguised as Pokemon game. Image by ASEC

ASEC warned that threat actors could also be using programs other than the Pokémon game to distribute malware, as was recently the case with the phishing website disguised as an update page for a software called SocGholish.

ADVERTISEMENT

“NetSupport RAT is being used by various threat actors. Major cases show that they are recently being distributed through spam emails disguised as those for invoices, shipment documents, and purchase orders,” ASEC said.

It advised users to purchase or download any externally sourced software from official websites and avoid opening attachments in suspicious emails. Users should also update their operating systems and internet browsers to the latest versions to prevent malware infection in advance, it said.