Hackers have compromised the support system of American video game publisher 2K and now are sending support tickets to gamers containing the RedLine password-stealing malware.
2K is the publisher behind numerous popular game franchises, including NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom.
Starting today, 2K customers began receiving emails stating that they opened support tickets on 2ksupport.zendesk.com, 2K’s online support ticketing system. While the users confirmed these tickets had been created, numerous recipients on Twitter and Reddit stated that they were not the ones who opened the tickets.
Soon after the tickets were opened, the gamers received another email containing a reply to their ticket from an alleged 2K support representative named ‘Prince K.’
This email includes an attached file named ‘2K Launcher.zip’ hosted directly on 2ksupport.zendesk.com, which pretended to be a new game launcher.
“Thank you for reaching out to 2K Support! The download for the new 2K games launcher can be found below,” read the support tickets sent to 2K customers.
Source: Reddit
The downloaded archive contains a 107 MB executable named ‘2K Launcher.exe,’ and based on its file properties, you can see that it is not an official 2K executable.
For example, the file is not digitally signed by the company and has a name of ‘Plumy’ and a file description of ‘5K Player,’
Source: BleepingComputer
According to VirusTotal and Any.Run, this executable is the RedLine information-stealing malware.
RedLine Stealer is an information-stealing malware that attempts to steal a wide variety of data, including browser history, browser cookies, saved browser passwords, credit cards, VPN passwords, IM content, system information, and cryptocurrency wallets.
It is also one of the most widespread malware sold on dark web markets and hacking forums, now used in various attacks such as phishing, YouTube videos, and fake game cracks and cheats.
Analysis of the 2K Launcher.exe by BleepingComputer shows various folders targeted by the malware, including FileZilla, Discord, Steam, and web browsers, as seen below.
Source: BleepingComputer
If you have downloaded the fake 2K Launcher and executed it on your Windows device, you should immediately scan your computer with antivirus software and remove what is detected.
Furthermore, it is strongly suggested that you change your passwords at any sites you frequent to a unique and strong one.
At this time, 2K appears to have taken their support system offline, with users unable to access their tickets with their login credentials.
@2KSupport Can’t access 2k Submit Portal. Keeps telling me my PW is wrong. Not receiving an email to change it. Not getting a response FROM ANY OF YOUR PLATFORMS. WTF?
— Thorn_Made_That (@Thorn_Made_That) September 20, 2022
Related to Rockstar Games breach?
Over the weekend, a threat actor announced they breached Rockstar games and began leaking videos of the unreleased Grand Theft Auto VI game and source code files for both GTA V and GTA VI.
Both Rockstar Games and 2K are subsidiaries of Take-Two Interactive, one of the largest game publishers in the Americas and Europe.
The hacker behind the Rockstar Games attack has also claimed the recent cyberattack on Uber, which has attributed the attack to the Lapsus$ hacking group.
In a past report by Microsoft, which Lapsus$ also breached, the company shared that the group commonly uses RedLine Stealer to steal passwords and authentication tokens that provide access to corporate systems.
It is unclear if the attack on 2K’s support system is related to the attack on Rockstar Games, but the timing is suspicious.
BleepingComputer has reached out to 2K about the hack of their support systems but has not received a reply,
