FlightSimLabs develops add-ons for Microsoft’s Flight Simulator game. These add-ons allow customers to buy additional planes to fly, expanding the game experience. Some Reddit users noticed a strange file, test.exe, which was extracted into a temporary folder when the A320X add-on was installed. Upon further investigation, the executable turned out to be malware purposefully placed by FSLabs to steal usernames and passwords stored in Google Chrome when a pirated copy is installed.
The malware is designed to run only when a flagged serial number is detected. The application is actually the command-line tool Chrome Password Dump
created by SecurityXploded which retrieves and displays usernames and passwords from Chrome in an easy-to-read format. The .bin file provided with the FSLabs application calls the test.exe file and sends the output to a Log.txt file. As if this wasn’t bad enough, the text file is then encoded with Base64.exe and sent back to an FSLabs site, installLog.flightsimlabs.com over an HTTP connection (not even
HTTPS). Security researchers at Fidus Information Security determined that the malware was not called when the application is run with a legitimate serial number.
The founder and owner of FSLabs, Lefteris Kalamaras, states "First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products." The malware was intended to collect information on people using pirated copies only. However, stealing credentials may still violate multiple sections of the Computer Fraud and Abuse Act. Also, even though the malware is not activated by the add-on for legitimate users, it was still extracted and puts their systems at risk of someone else activating it. FSLabs has offered another version of the installer without the test.exe file.
Thanks to Peraton CIP report for this information