Hackers create a fake Pokemon NFT gaming website to infect devices

Malicious entities have crafted a fake Pokemon NFT card game website distributing the NetSupport remote access tool and taking over victim devices.

The website is “pokenon-go.io” which was online when this article was composed claims it has a new NFT card game built for Pokemon franchise providing users with NFT investment profits.

Considering that both NFTs and Pokemon are popular, it was easy for the threat actors to maliciously draw audience for their website by spam and social media posts.

Those who click on the ‘Play on PC’ button will download this executable that looks very similar to the legitimate game installer, however, it actually installs NetSupport remote access tool on the  victim’s system.

Identifying the fake Pokemon NFT scam campaign

An analyst from ASEC   has reported that there is  a second site that has been used in this campaign at “beta-pokemoncards[.]io” but now  has been moved offline.

This campaign was first seen in Dec 2022, while previous samples were found in VirusTotal showed that the same operators had deployed a Visual Studio file instead of the Pokemon game.

Deploying the RAT on to victim devices

The RAT tool is deployed in a new folder in the %APPDATA% path, and kept hidden thus evading the detection from AV scans. The installer also creates an entry in the Startup folder to ensure the RAT will run on system boot. Since NetSupport RAT is a legitimate program, hackers use it to evade the security solutions.

With RAT installed, threat actors can easily remote into user devices and extort data from their device, deploy additional malware or even attempt to distribute the malware as a worm to other systems in the network.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.

You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.