A previous edition of this blog featured an image of the Hearthbuddy bot software purchase and download page. This was just shown to provide a general example of an available bot. Symantec did not suggest (nor intend to suggest) that Hearthbuddy itself is or contains malware. Symantec apologizes for any confusion.

Hearthstone, a free-to-play card game based on World of Warcraft, has been indirectly targeted by malware authors. These attackers have created third-party programs that supposedly benefit Hearthstone players, but in reality can compromise their computers with malicious software.

How are Hearthstone players being targeted?

Some Hearthstone players search for tools online to help them play better or earn more rewards. In most cases, the use of these tools is considered as cheating, as they give players an unfair advantage. Blizzard, the game’s creator, does not approve of these services.

This isn’t the only downside; we have observed that some of the third-party services contain malware. If a player installs them, then attackers may be able to open a back door on their computer, and steal sensitive information and Bitcoins.

Gold- and dust-hacking may lead to malware

Hearthstone allows players to earn cards and use them in matches against others. Players chiefly earn cards in the following ways:

Paying real money

Using gold, which can be received by playing matches and doing daily quests

Using dust, which is gained by destroying cards that players already own

The fastest way to earn cards is to purchase them with real money. This may be a significant investment for some. However, the other methods require more time to be spent playing the game.

Rather than paying money or using in-game methods, some players may try to cheat to get additional gold and dust. This can lead them to applications like Hearthstone Hack Tool v2.1, which promises that “gold and dust won’t be a problem anymore.” Such applications are a total scam; they do not work.

Symantec has recently observed Trojan.Coinbitclip posing as a Hearthstone gold- and dust-hacking tool. Because Bitcoin addresses are long and include random characters, many users who mine Bitcoins use a clipboard to facilitate the process. Trojan.Coinbitclip hijacks the user’s clipboard and replaces the user’s Bitcoin address with one from its own list—this is how the malware steals someone’s Bitcoin. The sample we have observed has 10,000 Bitcoin addresses in its body. The Trojan selects an address from the list that most closely resembles the address it is replacing.

Players looking to ignore the game’s rules and earn gold and dust quicker may be rewarded with malware instead of the cards they were looking for.

Bots that play for you—and compromise your computer

Gold- and dust-hacking tools aren’t the only ways to cheat in Hearthstone. A number of players use bots to play parts of the game for them.

Every month, players are rewarded with additional cards or dust, depending on their rank on Hearthstone’s ladder. Some players looking to earn top rewards without doing the work have turned to bots to help them. They can avail of the bots by buying software online and configuring it to their needs.

These bots can play more rewarding modes of the game, such as the Arena. They also randomly respond to their adversary’s emotes to make them seem like legitimate players. However, as with the gold- and dust-hacking tools, bot applications may include malware. Once the software is installed, the attached threat compromises the computer.

Blizzard regularly bans players for taking these kinds of shortcuts. Last year, the maker of the popular bot application HearthCrawler had to close up shop after Blizzard cracked down on customers using the service. Even if a player uses one of these applications and avoids malware infection, there’s a chance they could temporarily, even permanently, lose their Blizzard account.

Deck-tracking malware

There are some third-party Hearthstone tools that may not strictly be defined as cheating software. The most well-known Hearthstone add-ons are deck trackers that let players know which cards they haven’t drawn yet and more information. A lot of Hearthstone players would consider the use of deck trackers as cheating. Blizzard does not usually endorse third-party applications that mine its games. According to the company’s EULA, data mining is considered a violation, though it is at Blizzard’s discretion to allow third-party applications or not.

However, deck tracker add-ons are widely used by popular streamers who broadcast their Hearthstone matches on Twitch. This has led many of their viewers to do the same.

Cybercriminals have released their own malicious deck tracker add-ons. As Blizzard doesn’t support these tools, they are as susceptible to malware as any other third-party modification in the game.

In December 2015, Symantec saw that attackers disguised Backdoor.Breut as one of these add-ons by using the file name Hearthstone Deck Tracker.exe. This threat is capable of opening a back door, recording from the webcam, logging key strokes, and stealing passwords.

Protection

To stay protected against malware, Symantec advises users to keep their computers, security software, and other programs up-to-date by applying the latest patches and updates. We also recommend that users avoid downloading third-party software for Hearthstone, as they could come with additional malware.

Symantec and Norton products have the following detections in place to protect customers from this threat:

Antivirus