Don't fall for the latest Pokemon NFT card game scam - it's actually a front for distributing the NetProtect RAT

Continue reading
Are you a fan of Pokemon and NFTs? Be warned: there's a new scam that dangerously combines both of these passions. A website proclaiming to offer a Pokemon NFT card game is actually a front for distributing malware. Those who download the supposed game installer are in for a nasty surprise, as they're actually installing a remote access tool (RAT) on their system. This RAT gives the threat actors behind the scam the power to take control of your device and wreak havoc. And unfortunately, this isn't the first time this RAT has been used for nefarious purposes. Don't let your love of all things Pokemon lead you down a dangerous path - read on to learn more about this devious scheme and how to protect yourself from this threatfeed!
The Pokemon franchise has long been a beloved and popular one, with millions of fans worldwide. The recent trend of non-fungible tokens (NFTs) has only added to the franchise's popularity, as collectors flock to buy and trade unique digital assets. It's no surprise, then, that a website claiming to offer a new Pokemon NFT card game would attract attention. However, this particular website is not what it seems.
According to reports, the website "pokemon-go[.]io" is actually a front for distributing the NetSupport remote access tool (RAT). When users click on the "Play on PC" button, they download an executable that appears to be a legitimate game installer but is actually installing the RAT on their system. The RAT allows the threat actors to remotely connect to the victim's device and perform various actions, such as stealing data or installing additional malware.

*Fake Pokemon NFT Game Pushing NetSupport RAT*
The use of a well-known and trusted brand like Pokemon to lure in victims is a common tactic employed by threat actors. In this case, the popularity of both Pokemon and NFTs likely made it easier for the operators of the malicious website to draw in an audience through malspam, social media posts, and other means. According to the analysts at ASEC who first discovered the operation has mentioned that the campaign also made use of the domain "beta-pokemoncards[.]io," which has since been taken down.
While the NetSupport remote access tool (RAT) is a legitimate software product, it is not uncommon for threat actors to exploit its capabilities for malicious purposes. Here, though, the RAT was distributed through a website that claimed to offer a Pokemon NFT card game, with the executable disguised as a legitimate game installer. Once installed on the victim's system, the RAT allows the threat actors to remotely connect to the device and perform various actions, such as stealing data or installing additional malware.
The executable for NetSupport RAT ("client32.exe") and any essential dependencies are placed in a new subdirectory under the `%APPDATA%` directory. They are marked as "hidden" to avoid being detected by victims conducting their own manual searches of the file system.

*File contents of configuration file*
In addition, the installer makes a Startup item in Windows so that the RAT launches automatically when the operating system boots.

*NetSupport RAT interface*
This is not the first time that NetSupport Manager, the company behind the RAT, has been used in malicious campaigns. In 2020, Microsoft warned about phishing actors using COVID-19-themed Excel files that dropped NetSupport RAT onto the recipients' computers. In August 2022, a campaign targeting WordPress sites with fake Cloudflare DDoS protection pages installed NetSupport RAT and Raccoon Stealer on victims.
As the recent Pokemon NFT card game website attack showed us, cybercriminals are constantly coming up with new and creative ways to trick users into downloading malware. In this instance, the website appeared to offer a fun and exciting new game based on the beloved Pokemon franchise, complete with the added allure of NFTs. However, those who fell for the scam and clicked on the "Play on PC" button ended up with a lot more than just a game - they also downloaded the NetSupport RAT onto their system. This RAT allows the threat actors to remotely access and control the victim's device, potentially stealing sensitive data or installing additional malware. However, the repercussions of such an infection are far-fetching, particularly in terms of gaining access to private information and downloading other malware programs.

Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.