A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
Exploiting the holiday season’s heightened torrent activity, the attackers distributed compromised game installers via torrent trackers.
The campaign, which lasted for a month, primarily delivered the XMRig cryptominer to unsuspecting users in Russia, Brazil, Germany, Belarus, and Kazakhstan.
Popular titles such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, and Universe Sandbox were weaponized to execute a complex infection chain.
Execution Chain
The attackers employed advanced methods to evade detection and ensure the malware’s success.
The trojanized installers were crafted using Inno Setup, embedding malicious payloads that were encrypted and hidden within legitimate-looking game files.
Upon execution, the installer decrypted these payloads using AES encryption and deployed them into the system’s temporary directories.
A key component of the attack involved anti-debugging checks to detect sandbox environments or debugging tools.
According to the Secure List, if such tools were found, the malware terminated its execution immediately, avoiding detection by security researchers.
Once past these checks, the malware registered itself using Windows utilities like regsvr32.exe and began collecting system fingerprints, including machine identifiers, usernames, operating system details, and hardware specifications. T
his information was encoded in Base64 format and transmitted to the attackers’ command-and-control (C2) servers.
The infection chain continued with the deployment of a miner implant that leveraged the victim’s CPU resources for cryptocurrency mining.
The malware dynamically adjusted its behavior based on system configurations to avoid overloading less powerful machines.
Global Impact on Users
The campaign primarily targeted individual gamers but also infected systems within corporate networks.
By focusing on gaming PCs often equipped with high-performance hardware the attackers maximized their mining efficiency.
Victims reported increased electricity bills and degraded system performance due to the resource-intensive mining operations.
Attribution and Implications
While no direct links to known threat groups have been established, evidence suggests that Russian-speaking actors may be behind this operation.
The campaign highlights an emerging trend where threat actors exploit popular games as vectors for malware distribution.
This tactic capitalizes on users’ trust in well-known titles and their willingness to download cracked or repackaged versions from unofficial sources.
The incident underscores the importance of cybersecurity awareness among gamers.
Downloading games from unauthorized platforms poses significant risks, as even official app stores are not immune to malware infiltration.
Developers and platform providers must adopt robust security measures to safeguard users against such threats.
This campaign serves as a stark reminder of the evolving tactics used by cybercriminals to exploit unsuspecting users.
By weaponizing popular games, they have demonstrated their ability to bypass traditional security measures and deliver malicious payloads effectively.
Gamers are urged to rely on legitimate sources for downloads and maintain up-to-date security solutions to mitigate risks associated with such attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
