Skip to content

Fake Pokemon NFT game is taking over Windows devices

  • by
  • 3 min read

Analysts at ASEC have discovered a new malware campaign using a Pokemon NFT game to deliver the NetSupport Remote Access Tool (RAT) to victims’ devices to take over them remotely. The campaign has been active since at least December 2022. 

The game, whose website is still live at the time of writing, claims to be a Pokemon card game that potentially holds the benefit of the players getting NFTs. Clicking the download button on the site downloads a game installer which instead installs NetSupport on the user’s PC. 

Fake Pokemon NFT game is taking over Windows devices
The site distributing the fake Pokemon card game.

The executable file creates a hidden directory to install NetSupport in the Windows’ %AppData% directory. This is to hide the installation from manual inspections. Additionally, the installer also creates an entry in the Windows startup folder to ensure the program runs at Boot. 

To clarify, NetSupport is a legitimate program used for remote screen control and systems management, with the first version released as far back as 1989. Since it’s a legitimate program, threat actors often use it hoping to evade any antivirus or antimalware programs installed on the victim’s computer. 

Even though NetSupport has cross-platform support, the target ‘game’ is only compatible with Windows 10 and 11. The downloaded program also has a custom name, icon and version information, tricking users into believing it’s a legitimate game and running the program.

Fake Pokemon NFT game is taking over Windows devices
The game offers Pokemon NFTs as a benefit to playing.

Once run, the program connects to the threat actor’s Command and Control (C2) centre, a NetSupport server, the address included in the client32.ini file downloaded alongside the installer. Once a connection is established, the threat actor takes control of the victim’s system.

ASEC reports different phishing websites using the same fake Pokemon game to distribute multiple NetSupport droppers. However, while the dropper files might differ, they’re all linked to the same C2 server address. 

When fully exploited, NetSupport can allow a remote operator not only to see and control your screen but also record it, copy clipboard history, collect web history, manage files and run arbitrary commands. This makes extracting sensitive information like web credentials or installing additional malware easier.

In the News: You can now use proxies to connect to WhatsApp

>