Overview
As the popularity of the mobile game Hamster Kombat skyrockets, it has become a prime target for cybercriminals eager to exploit its user base. In a recent report by ESET Research, malicious actors are taking advantage of the public interest in the game by distributing malware under the guise of game-related tools and apps. Both Android and Windows users have been affected by these malicious campaigns, with spyware and infostealers being deployed through unofficial channels. Here’s a detailed look at how this malware operates and the risks it poses to users.
Targets
Individuals
How they operate
The recent wave of cyberattacks targeting Hamster Kombat players is a testament to how cybercriminals exploit popular apps and games for malicious purposes. These attacks are multifaceted, affecting both Android and Windows users through various techniques. Here’s a deep dive into the technical mechanisms of the Ratel spyware on Android and the Lumma Stealer infostealer on Windows, and how these malware variants operate under the guise of game-related tools.
Android Malware: Ratel Spyware’s Technical Capabilities
The Ratel spyware is a sophisticated piece of malware that has been disguised as a version of the Hamster Kombat game and distributed via unofficial Telegram channels. Once installed, the app initiates its attack by requesting two key permissions: notification access and the ability to become the device’s default SMS application. These permissions are critical to the malware’s functionality, allowing it to intercept and manipulate sensitive data.
Notification Access: With this permission, Ratel gains the ability to monitor all notifications that appear on the infected device. This includes notifications from banking apps, messaging services, and authentication services that use two-factor authentication (2FA). By capturing this data, the malware operators can steal sensitive information such as one-time passwords (OTPs) and account recovery codes, which are essential for bypassing security barriers.
Default SMS Application: The second permission requested by Ratel is to become the default SMS handler. This allows the malware to intercept, read, and send SMS messages. By controlling SMS functionality, the attackers can intercept authentication codes sent via SMS, steal transactional information, and even send premium-rate SMS messages, effectively siphoning funds from the victim’s account.
After gaining these permissions, the malware operates silently in the background, monitoring both incoming and outgoing messages and notifications. In some cases, it can send SMS messages to services without the user’s knowledge, subscribing them to premium services and incurring charges on their behalf. Additionally, Ratel can exfiltrate data back to a command-and-control (C2) server, enabling attackers to monitor the victim’s activity remotely.
Windows Malware: Lumma Stealer’s Infostealing Techniques
On the Windows platform, cybercriminals are distributing the Lumma Stealer through GitHub repositories and websites that claim to offer farm bots and auto-clickers for Hamster Kombat. These tools are designed to appeal to players who seek to automate repetitive tasks in the game. However, instead of providing legitimate functionality, these tools harbor a potent infostealer designed to siphon sensitive data from compromised systems.
The Lumma Stealer is a modular infostealer that is primarily used to harvest information related to cryptocurrency wallets, login credentials, browser data, and system information. It operates through the following mechanisms:
Credential Harvesting: Lumma Stealer specifically targets browsers and applications that store login credentials. It can extract saved usernames and passwords from browser password managers, including Google Chrome, Mozilla Firefox, and Microsoft Edge. These credentials are packaged and sent back to the C2 server, where they can be used to access the victim’s online accounts.
Cryptocurrency Wallet Theft: Given that many Hamster Kombat players are interested in cryptocurrency, Lumma Stealer focuses on stealing cryptocurrency wallets. It targets popular wallet applications, extracting wallet keys and sensitive data that enable attackers to drain the victim’s cryptocurrency assets.
Two-Factor Authentication (2FA) Bypass: Lumma Stealer also targets 2FA browser extensions, which are often used to enhance security during login processes. By stealing backup codes and bypass mechanisms, the malware makes it easier for attackers to break into accounts that use 2FA, significantly increasing the damage they can inflict.
Lumma Stealer is delivered in various ways through the GitHub repositories identified by ESET Research. These repositories either contain the malware directly in the release files or link to external file-sharing services where the malware is hosted. Once executed, the malware runs silently in the background, collecting data and sending it to its operators.
Malware-as-a-Service: Lumma Stealer’s Ecosystem
What sets Lumma Stealer apart from traditional malware is its widespread availability through malware-as-a-service (MaaS) platforms. Cybercriminals can easily acquire the malware from the dark web or Telegram channels for a fee. This model enables attackers with little technical skill to deploy sophisticated malware campaigns.
Once installed, Lumma Stealer establishes communication with a C2 server, sending the stolen information in encrypted form to evade detection by antivirus solutions and firewalls. The modular design of Lumma allows its operators to continually update and modify its capabilities, making it adaptable to different environments and targets. Additionally, Lumma’s cryptors (tools that obscure malware signatures) play a vital role in preventing detection, allowing it to bypass security measures and deliver its payload undetected.
Conclusion: A Cautionary Tale for Users
The Hamster Kombat malware campaigns reveal how opportunistic cybercriminals exploit popular apps and games to distribute malware, often through unofficial channels. Both the Ratel spyware on Android and the Lumma Stealer on Windows demonstrate the technical sophistication behind these attacks, from gaining unauthorized permissions on mobile devices to exfiltrating sensitive data from desktop systems.
Users must be vigilant when downloading apps or tools from unofficial sources, as they are often vectors for malware distribution. Maintaining up-to-date antivirus software, being cautious with app permissions, and avoiding untrusted websites can help mitigate the risk of falling victim to these malicious campaigns. As malware continues to evolve, proactive security measures remain the best defense against these sophisticated attacks.
References:
