Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Torrented versions of games such as Garry’s Mod, Dyson Sphere Program, and Universe Sandbox have been employed in a global malware campaign.
A malicious cyber campaign launched on New Year’s Eve last year saw cryptocurrency mining malware installed on computers in Russia, Germany, Belarus, Kazakhstan, and Brazil, according to a new report from Russian anti-virus firm Kaspersky.
Dubbed StaryDobry by Kaspersky researchers, the malware campaign lasted for a month from 31 December and took advantage of cracked versions of several popular video games, including BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy.
The games were distributed via torrent trackers and shared by different authors but were nonetheless all cracked in the same manner, suggesting a coordinated campaign.
While the actual game is installed, the installer checks first to see if it is running in a sandbox debugging environment before checking the IP address of the machine to identify its country. A fingerprint of the device is then created, after which it installs the MTX64.exe malware loader, which poses as a system file.
The next step in the infection chain is resource spoofing to make the malware seem legitimate. Finally, if the infected machine has eight CPU cores, the XMRig crypto miner is downloaded and installed. The miner uses a mining pool server on its own infrastructure rather than a public one and can shut itself down to avoid detection.
While the campaign’s victims were mostly private individuals, some organisations were also impacted, but only because employees installed the cracked software on business systems. Most of the victims were inside Russia, and the use of the Russian language in the malware suggests that may also be the country of origin for the campaign.
Clear attribution to a known actor, however, is difficult to determine, according to Kaspersky.
“StaryDobry tends to be a one-shot campaign,” Kaspersky said.
“To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games. This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
