This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...
The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.
Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)
• dns: 1 ›› ip: 220.127.116.11 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 18.104.22.168 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 22.214.171.124 - adress: WWW.WOWMATRIX.PW.PW
Blizzard released a statement due to this new threat:
I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).
C&C (in Chinese):
That all for the moment :)