Recently a malware who target World of Warcraft got identified.
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...
![]()
There is no option to retain password on the WoW client.
The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.
![]()
Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)
Fake sites:
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW
Blizzard released a statement due to this new threat:
![]()
I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).
![]()
Network trafic after login in:
![]()
C&C (in Chinese):
![]()
Compromised accounts:
![]()
![]()
![]()
That all for the moment :)
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...
The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.
Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)
Fake sites:
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW
Blizzard released a statement due to this new threat:
I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).
Network trafic after login in:
C&C (in Chinese):
Compromised accounts:
That all for the moment :)