Cyber crooks found a new disguise for their tools, and the targets are individuals looking for raiding/bombing utilities to use on the Twitch video streaming platform for gamers.
Raiding or bombing is a tactic that started as a way to redirect viewers of a channel to a different one, in order to increase popularity. This type of action is not condoned by Twitch, but the raider has to be reported.
Most of the times such actions are carried out through a bot and end with decreasing the number of viewers of the raided streamer.
Trojan integrates protection against terminating its activity
Researchers from Malwarebytes took a look at the two samples discovered to pose as bots and found one of them to be a Trojan, while the other integrates a potentially unwanted program (PUP).
The sample, detected as Trojan.Crypt, is known to change the start page of browsers running on the compromised system.
According to the company, the malware comes with other capabilities, too, which include collecting data about the computer. It harvests Windows Product ID, MachineGuid, DigitalProductID, and SystemBiosDate. One possible reason is to fingerprint sandboxes or test machines.
Malwarebytes researcher Jovi Umawing says that the malware injects code into processes and also drops non-threatening component files in the Windows system folder.
She said that some protection measures have been integrated in the analyzed version of the malware, which does not allow Process Explorer and Task Manager utilities to start; this way, users’s attempts to terminate the activity of the threat are futile.
Potentially unwanted program also guises as malware
The second sample (Twitch.TV View Bot) found by the researchers delivers more than just the bot, as before the actual installation routine, a screen requires the user to hit the “Accept” button.
Umawing says that the scammers behind are part of a pay-per-install (PPI) affiliate network, getting paid for every user that puts the application on their system.
At the moment, 29 out of 55 antivirus engines on Google’s VirusTotal service detect the file as suspicious or as adware.
Twitch bombing turns to spam
Initially, raiding other streamer’s chat window would be done to direct the viewers to a different channel, but there are cases where such tools are offered for hire on hacker forums for the purpose of flooding chat windows with spam.
One such service allows hiring for just a short period of time as well as getting lifetime access to it. It is administered straight from the web browser where the target’s name has to be entered along with the unsolicited message. The attack can be initiated or stopped at the operator’s discretion.