With the aim of spreading malware to the unsuspecting, a group of criminals created a website focused on a card game of pokemon. The page promises an NFT game based on the popular franchise, which can bring fun and even financial return. However, it is nothing more than a scheme to insert a NetSupport remote access tool into the user’s computer and take control of the device.
Using mobile title and card game mentions pokemon go, hackers try to trick fans and users into visiting the site. In it, several cards are presented, with options to check out collections, learn to play and buy packs and tokens.
However, when clicking on the “Play on PC” button, the person downloads and installs a remote access tool (known as RAT) on his machine. As a result, criminals gain full control of the victim’s computer. It can steal data, install malware and, of course, spread the program even further.
Who made the discovery was an analyst of the ASECwhich also discovered another fake Pokémon card page, but which was already offline.
How malware works
Once the individual has downloaded the program and installed it on their machine, the NetSupport RAT (“client32.exe”) is installed in a folder in the path %APPDATA%. It is set to “hidden” to avoid detection.
The installer then creates an entry in the Windows Setup folder to be triggered as soon as the system is powered on. It is worth remembering that NetSupport itself is legitimate software, which can cause system security to let it go unnoticed.
Ready! From there, the victim’s computer is at the mercy of cybercriminals.
Website is now offline
Fortunately, at the time of publication of this article, everything indicates that the site “pokemon-go[.]io” has already gone offline. Even so, as the first reports of the scheme emerged on December 22, 2022, it may be that much of the damage has already occurred.
Criminals previously used a fake Visual Studio file instead of pokemon, which implies that they change the “brand” according to the need and the fall of the page. However, the business remains the same.
Using the pocket monsters franchise is smart on the part of hackers, as the IP’s popularity level among adults and children is very high. This makes the unsuspecting click the buttons without paying attention to the consequences or thinking about the risks.
On the other hand, we cannot forget that Nintendo (one of the owners of the brand) is very active when it comes to the external use of its properties. Come to think of it, it wouldn’t take long for the Japanese company to take down the fake website.
Either way, it’s always worth keeping an eye on. Only visit official pages of content you like. It is also important to understand the virus and malware differenceas well as ways to protect yourself.
With information: Bleeping Computer.