Leveraging popular software for persistence is a clever way to survive in heavily monitored environments of today. The last post discussed GhostScript, and today I will cover a popular gaming platform called GOG.
Games using GOG use HKLM Registry configuration stored under keys listed below (this is a representative subset, obviously):
- SOFTWARE\GOG.com\Games\1207662533
- SOFTWARE\GOG.com\Games\1207664543
- SOFTWARE\GOG.COM\Games\1207664623
- SOFTWARE\GOG.com\Games\1207665673
- SOFTWARE\GOG.COM\GOGADVENTURESSHUGGY
- SOFTWARE\GOG.COM\GOGANODYNE
- SOFTWARE\GOG.COM\GOGDARKLANDS
- SOFTWARE\GOG.COM\GOGEARTH2140D
- SOFTWARE\GOG.COM\GOGGOBLINS1
- SOFTWARE\GOG.COM\GOGGOBLINS1FDD
- SOFTWARE\GOG.COM\GOGGOBLINS2
- SOFTWARE\GOG.COM\GOGGOBLINS2FDD
- SOFTWARE\GOG.COM\GOGGOBLINS3
- SOFTWARE\GOG.COM\GOGGOBLINS3FDD
- SOFTWARE\GOG.COM\GOGINTERSTATE82
- SOFTWARE\GOG.COM\GOGLAMULANA
- SOFTWARE\GOG.COM\GOGRETURNTOKRONDOR
- SOFTWARE\GOG.COM\GOGT7G
The thing is, that under these keys, there is a Registry ValueName called GOGGAMEDLL that points to a GOG DLL – and as you suspect, this entry can be potentially replaced by a proxy DLL.