Every once in a while, though, we stumble upon something that stands out, something that doesn’t fall into the common malware categories that we encounter every day – such as ransomware, banking Trojans, or targeted attacks (APTs) – just to name a few of those that are currently causing the most problems. Today, we’re bringing you one of those uncommon threats – a Trojan devised to target players of online poker.
“We have seen this Trojan masquerading as a number of benign installers for various general purpose programs, such as Daemon Tools or uTorrent. In other cases, the spyware is installed through various poker-related programs,” said Robert Lipovsky, Senior Malware Researcher at ESET.
Once installed, the malware first checks if PokerStars or Full Tilt Poker is running. If confirmed, Odlanor proceeds to take screenshots of the poker hand, all without alerting the victim. The screenshots - which capture the the player's ID and virtual hand - are sent to the attacker, giving the criminal an unfair advantage at winning the poker game.
As the player ID is then known the attacker can follow that person at future sessions. Both of the targeted poker sites - PokerStars and Full Tilt Poker - let players search for others using this ID, so it is easy for a hacker to connect to tables the victim is playing on.
Typical of most malware the largest number of detections have initially come from Eastern European countries but it is spreading worldwide and may be modified to work with other games of skill.
ESET has observed several versions of the malware in the wild, the earliest ones from March 2015. According to ESET LiveGrid telemetry, the largest number of detections comes from Eastern European countries. Nevertheless, the Trojan poses a potential threat to any player of online poker. Several of the victims were located in the Czech Republic, Poland and Hungary.