Attackers have created a fake site that impersonates the legitimate Smart Game Booster site, but instead distributes a Trojan that steals your passwords, cryptocurrency wallets, browser history, and much more.

A tactic that is being seen more often is for attackers to create fake and convincing web sites that pretend to be legitimate software. These fake sites, though, distribute password stealing Trojans instead.

For example, in the past we have reported on sites being created that pretend to be Windows system optimizers and VPN software, but actually infect the user with the AZORult Trojan.

A new site was discovered by security researcher MalwareHunterTeam called gamebooster.pro that is identical to the legitimate site pcgameboost.com.

Fake Smart Game Booster Site

The difference, though, is that while pcgameboost.com distributes a legitimate software program called Smart Game Booster, the gamebooster.pro site distributes the password and information stealing Trojan.

The Loki++ Trojan Trojan is a relatively new malware that is being sold on underground hacker and criminal forums.

While this particular sample contains strings identifying it as "Loki++ Stealer 2.0 Coded By Loki", security researcher Vitali Kremez told BleepingComputer that this is a "modified/altered Baldr/Arkei stealer".

Unlike other malware, Loki++ does not have any persistence, which means it will only run once and then remove itself.

When run, though, it will attempt to steal saved login credentials in the browser, browser profiles, cryptocurrency wallets, records from VPN clients, FTP programs, text documents, desktop files, and Telegram sessions. In addition, the Trojan will create a screenshot of the active desktop when executed.

This information is then uploaded to the attackers command and control server, where it can be retrieved later. In this particular sample, the data is being uploaded to a server at lokicode.had.su.

Victim's data being uploaded to attacker's server

As the infection is executed only once, does not display an install screen, and deletes itself after, victims would think there is a problem with the program as nothing would be shown on the screen.

The attackers, though, would now have access to their saved login credentials and other information and could use it for a variety of attacks.

Therefore it is important for users to research a site that you download files from before doing so. If the site has a good reputation, is associated with the program in some manner, then it is most likely safe to download.

If there is little or no information about a site, though, it should be avoided.

Update 8/30/19:

We have updated the article to indicate that the malware appears to be a Loki++ Trojan with code borrowed from Baldr.