Leveraging popular software for persistence is a clever way to survive in heavily monitored environments of today. The last post discussed GhostScript, and today I will cover a popular gaming platform called GOG.

Games using GOG use HKLM Registry configuration stored under keys listed below (this is a representative subset, obviously):

• SOFTWARE\GOG.com\Games\1207662533
• SOFTWARE\GOG.com\Games\1207664543
• SOFTWARE\GOG.COM\Games\1207664623
• SOFTWARE\GOG.com\Games\1207665673
• SOFTWARE\GOG.COM\GOGADVENTURESSHUGGY
• SOFTWARE\GOG.COM\GOGANODYNE
• SOFTWARE\GOG.COM\GOGDARKLANDS
• SOFTWARE\GOG.COM\GOGEARTH2140D
• SOFTWARE\GOG.COM\GOGGOBLINS1
• SOFTWARE\GOG.COM\GOGGOBLINS1FDD
• SOFTWARE\GOG.COM\GOGGOBLINS2
• SOFTWARE\GOG.COM\GOGGOBLINS2FDD
• SOFTWARE\GOG.COM\GOGGOBLINS3
• SOFTWARE\GOG.COM\GOGGOBLINS3FDD
• SOFTWARE\GOG.COM\GOGINTERSTATE82
• SOFTWARE\GOG.COM\GOGLAMULANA
• SOFTWARE\GOG.COM\GOGRETURNTOKRONDOR
• SOFTWARE\GOG.COM\GOGT7G

The thing is, that under these keys, there is a Registry ValueName called GOGGAMEDLL that points to a GOG DLL – and as you suspect, this entry can be potentially replaced by a proxy DLL.