Avast researchers have found password stealer malware, disguised as a private Fortnite server, where users can meet for a private match, and use skins for free. The malware is being heavily propagated on communications platform Discord. The researchers also found TikTok “tutorial” videos describing how potential victims can join the Discord server, disable their antivirus, and download the malicious file.

The password stealer is designed to steal credentials and other information saved in the browser, as well as cryptocurrencies from crypto wallets, and take screenshots. It also steals login credentials from Discord, NordVPN, FileZilla, and more (a full list of what the password stealer is capable of can be found towards the bottom of this post).  

The malicious campaign takes advantage of young gamers looking for private matches to customize their Fortnite character’s appearance to reflect their personality or mood. The campaign is in Russian, mostly targeting Russian gamers. Since the beginning of this year, Avast has protected more than 2,000 customers from this password stealer.

The TikTok account hosting the tutorial videos is called “shtorm_genius”, as can be seen in the screenshot below. We have seen two examples of tutorial videos on the account describing how to join the Discord server and download the malware, in detail. One of the videos, which is an older video, is more thorough, for example, it contains instructions on how to disable antivirus protection on the victim's PC, to guarantee the malware can run.

TikTok account promoting the Discord server hosting the malicious file

Screenshot of one of the tutorial videos describing in detail how people can join the Discord server where they are encouraged to download the malicious file.

The Discord server is called “Storm Community”, and has close to 300 users and is growing.  People on the server also offer Fortnite accounts for sale, which, allegedly, contain skin items that the buyer can use or sell elsewhere.

In another video on the TikTok account, a Discord server (not the one we found) is shown. See the screenshot below. This leads us to believe that the password stealer malware is being distributed on more than one Discord channel. 

In the Discord server we analyzed, a user with the username “Genius” notifies everyone in the channel to download the “private server”.

In a channel within the Discord server called “chat”, a user asks what to do, because the private server doesn’t work. As we know, the file is in reality password stealer malware, which does work. The file executes and a window pops up for a split second, so quickly that the victim doesn’t even realize something happened. Unfortunately, from the conversation it is apparent that the user tried to start the private server and got unwittingly infected as a result.

Another user reacts to the victim’s post, pointing out that the file is a trojan. The user “Genius”, who we suspect is the malware author, asks for proof.

Just shortly after, the message outing the file as a trojan is deleted.

How the password stealer malware works

The password stealer mainly focuses on credential theft, stealing cryptocurrencies, extracting information saved in the browser (such as passwords, cookies, and credit cards), as well as stealing clipboard contents and taking screenshots.

It checks for cryptocurrency wallets, either by their common file location, or by searching for installed browser extensions.

The malware also steals credentials from applications commonly used by gamers, including Steam and Discord, as well as FTP and VPN software.

All the stolen information is sent to the author's C&C server (95.142.46[.]35:6666) in the form of an unencrypted .ZIP file, containing all the collected information from browsers and applications, cryptowallet files, as well as the clipboard content, and screenshots. The malware also sends a log file, encoded using Base64, informing the author about what was stolen, including additional information about the victim’s system.

The complete list of stolen information can be found below.

Information extracted from browsers:

• Saved passwords
• Cookies
• Autofill information
• Credit Cards

OS information:

• OS version
• OS build
• System install date
• System product ID

Credentials from:

• FileZilla
• TotalCommander
• Steam
• Telegram
• NordVPN
• OpenVPN
• Discord

Cryptocurrencies:

• Armory
• Atomic
• Bitcoin
• Bytecoin
• Dash
• Electrum
• Ethereum
• Litecoin
• Zcash
• Exodus
• MetaMask
• Ronin
• Binance
• Tron

Other contents:

• Clipboard contents
• Screenshots of victim’s screen

Recommendations for gamers to avoid falling victim to this and similar scams

• Never trust anything that recommends disabling your antivirus protection. Anyone asking you to do this is trying to share something unsafe. 
• If something seems too good to be true - in this case free skins on a private server for your favorite game - think twice before proceeding, because it likely is too good to be true.
• Only download and use software from verified and trustworthy sources. We recommend visiting these sources directly, rather than following a link shared somewhere. 
• This may sound like a big cliché, but really, don’t trust everything you see on the internet. In this case, the TikTok account has thousands of likes, but that doesn’t mean it is trustworthy. 

Indicators of Compromise (IoC)