Pokemon NFT Used Maliciously – Gotta Infiltrate ‘Em All

Cybercrime varies in its methods, but the most popular form revolves around masquerading as popular names to trick users. From impersonating social media platforms such as Instagram to popular games like Pokemon, things are getting out of hand.

A new campaign sees threat actors using a fake, well-crafted Pokemon NFT card game website to spread the NetSupport remote access tool in hopes of taking full control of the victim’s PC devices.

Pokemon Card Games are at a new high in terms of popularity, especially with the existence of Pokemon TCG. Now, by combining Pokemon and NFTs, success is guaranteed. How is the executed? What is Net Support? We’ve discussed everything in the following article.

Pokemon CyberAttack: What? Cybercrime is Evolving!

Using fake websites to distribute malware has become a common tactic among threat actors throughout the years. In fact, 2022 saw a lot of such practices, particularly those that include games and VPN software.

A while ago, none other than the VPN giant, ExpressVPN, was impersonated by cybercriminals with the intention of injecting the RedLine malware into their victims’ devices.

As for the gaming department, other threat actors used names like Krunker, 2K Games, as well as Valorant. This time around, it’s one of the biggest games in the world – Pokemon.

This fake website promotes an NFT card game built around the Pokemon franchise, combining both fun and NFT investment profits together.

Radiant Gardevoir, who wouldn’t want that? It seems that the threat actors behind this definitely know what they’re doing.

Apparently, they’re luring their victims through malvertising, social media posts, and the likes. On the fake page, users will find about that says “Play on PC,” which is typically the thing they want.

Once they click on it, they’ll download a file that resembles a legitimate game installer. The following image shows how well all of this is executed:

However, in reality, they’ll be installing the NetSupport remote access tool (RAT) on their systems. NetSupport Manager is a legitimate tool, but it’s now being commonly utilized by threat actors to evade any security software.

According to analysts at ASEC,

“The malware is an installer malware developed with InnoSetup. When executed, it creates a folder in the %APPDATA% path and creates hidden NetSupport RAT-related files before executing them.

It also creates a shortcut in the Startup folder, allowing the malware to be run even after a reboot. client32.exe, the ultimately executed file in the process tree below, is the NetSupport Manager client.”

Once the malware takes toot in the device, it allows the threat actor to perform all sorts of malicious practices. This includes stealing data, installing other malware, or spreading further on the network.

Aside from “pokemon-go[.]io,” there’s another website used in this campaign with the “beta-pokemoncards[.]io” URL, but it has since been taken offline. “pokemon-go[.]io,” however, is still active at the time of writing.

To Protect the World from Infiltration

No matter how tempting a game/software might be, you should never download it from an untrusted source. You never know who’s hosting it.

Always rely on official stores to download your content. Pokemon is one of the most popular games in the world, which makes it the perfect lure for victims. Stay safe!