Focus Mode
Threat Research

Hidden Threats of Game Assistants | Analysis Report on the “Catlavan” Backdoor Spread in Gaming Forums

iocOne
Hidden Threats of Game Assistants | Analysis Report on the “Catlavan” Backdoor Spread in Gaming Forums
As the user base for online gaming grows, so does the gray market for cheats and auxiliary software, which has also led to the spread of malware. A breakthrough in malicious file detection technology by BinaryAI identifies a recent attack targeting users in Russian-based gaming environments, linked to a backdoor named “Catlavan.” This backdoor uses a two-phase approach to steal information and communicate with attackers via Telegram. Affected: gaming sector, software security

Keypoints :

  • The rise of cheats and auxiliary software in online gaming poses significant security risks.
  • BinaryAI has developed a semantic-based detection engine to identify malicious files.
  • The “Catlavan” backdoor spreads through a compressed package targeting Russian-language environments.
  • The backdoor consists of a two-step process involving a loader (LiveRuch.exe) and a server (runtime_broker.exe).
  • The second phase is designed to steal user information and log activities via Telegram.
  • The malware includes hardcoded credentials for SFTP uploads.
  • Recommendations include avoiding illegal software and utilizing security tools like Tencent PC Manager for protection.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The malware uses Telegram for command and control, sending logs and executed commands to the attacker’s account.
  • T1059.001 – Command-Line Interface: The wicked software uses command-line operations such as ShellExecuteExA and taskkill for process controlling and file management.
  • T1041 – Exfiltration Over Command and Control Channel: User information and data are exfiltrated through Telegram, demonstrating typical C2 behavior.
  • T1033 – Service Introspection: The backdoor checks if it is running with administrator privileges, adjusting accordingly based on access.
  • T1114 – Email/SMTP: Malware acknowledges and processes Telegram communications mimicking user interaction with malicious prompts.

Indicator of Compromise :

  • [IP Address] 93.185.157.131
  • [Telegram Bot Token] 7484681692:AAHvE1a6KYWG0gAZVcEFfo04OwRLugyuaZg
  • [Telegram Chat ID] 7174999938
  • [MD5] 1715eeafe4b6815512a9340247879fed + other MD5

Full Story: https://mp.weixin.qq.com/s?__biz=MzI5ODk3OTM1Ng==&mid=2247510023&idx=1&sn=190730a6182da1469a76c29ec479ae13&chksm=ec9f7174dbe8f86290b0ced6fb6032de62bf76e90dabb9f7bbcb0f264b0d177e146f5c205169&scene=58&subscene=0#rd

Tags: EXFILTRATION, SMTP, BACKDOOR, CLOUD, TOOL, EMAIL, TROJAN, PASSWORD