Users of the Albion Online gaming forum have recently been targeted by a sophisticated Russian phishing campaign masquerading as a security warning from the Electric Frontier Foundation (EFF). The attackers exploited fears of account bans to lure victims into downloading Steal and Pyramid C2 malware.
Forum users reported receiving private messages claiming to be from “the EFF team,” warning them about potential account suspensions. The fraudulent message urged recipients to immediately act by clicking on a link, which led to a malicious PDF file.
This document, while convincingly mimicking EFF’s branding and typefaces, was a trojan designed to deliver malware to victims’ devices.
Researchers observed that the attack involved a multi-stage payload delivery system. The PDF file contained an embedded script that contacted an attacker-controlled server. The server responded with a second-stage payload that installed itself on the victim’s Windows device.
The malware modified files on the user’s physical drive and connected the infected machine to a botnet. Alarmingly, the malware appeared to interact with the ‘VaultSvc’ service, potentially compromising stored user credentials.
The PDF distracts the malware while it executes in the background. The malware first extracts the Python.zip file and then hibernates for about 30 seconds. After extraction, the malware searches the pythonw.lnk secondary shortcut file and moves it to the Windows Startup folder for persistence.
Next, the malware drops albion.exe and 12.py from the ZIP file. The former is a Python executable that the hackers renamed, while the latter includes two strings obfuscated using zlib compression and base64 encoding.
Experts have urged Albion Online forum users to remain vigilant and take necessary precautions. They should avoid clicking on links from unsolicited private messages, particularly those creating a sense of urgency. Users are also advised through the forum’s in-built reporting tool, which is essential to help moderators take action.
Moreover, users should also verify the authenticity of messages by consulting members before responding to prevent potential harm. Keeping software and security tools updated is another crucial step in mitigating risks from emerging threats.
“If you ever absolutely must open a file, do so in an online document reader, like Google Drive, or try sending the link through a tool like VirusTotal, but try to avoid opening suspicious files whenever possible,” EFF concluded.
In the News: Gemini flagged for extremist and CSAM content; tech platforms fail content moderation
