Gaming mods, cheat engines are spreading Trojan malware and planting backdoors | ZDNet
Gaming mods, cheat engines are spreading Trojan malware and planting backdoors
Mods and cheat systems for games are being exploited to deploy information-stealing malware.
Charlie Osborne
By Charlie Osborne for Zero Day | March 31, 2021 -- 13:07 GMT (14:07 BST) | Topic: Security
Gaming mods and cheat engines are being weaponized to target gamers in new malware campaigns.
SECURITY
Microsoft: Firmware attacks are on the rise and you aren't worrying about them enough
Cyber security 101: Protect your privacy from hackers, spies, and the government
The best antivirus software and apps
The best VPNs for business and home use
The best security keys for two-factor authentication
Why some governments are getting cyber crime gangs to do their hacking for them (ZDNet YouTube)
On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor -- code designed to prevent reverse-engineering or analysis -- for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).
The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising -- adverts that lead to malicious websites or downloads -- as well as YouTube how-to videos focused on game modding that link to malicious content.
There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars -- only propelled further with the emergence of competitive e-sports -- and so some gamers will go so far as to purchase cheats to give them an edge.
Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.
The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend.
Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms.
The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants.
screenshot-2021-03-31-at-11-00-30.png
Cisco Talos
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.
"As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees," the researchers say. "Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job."
Mods and cheat systems for games are being exploited to deploy information-stealing malware.
Charlie Osborne
By Charlie Osborne for Zero Day | March 31, 2021 -- 13:07 GMT (14:07 BST) | Topic: Security
Gaming mods and cheat engines are being weaponized to target gamers in new malware campaigns.
SECURITY
Microsoft: Firmware attacks are on the rise and you aren't worrying about them enough
Cyber security 101: Protect your privacy from hackers, spies, and the government
The best antivirus software and apps
The best VPNs for business and home use
The best security keys for two-factor authentication
Why some governments are getting cyber crime gangs to do their hacking for them (ZDNet YouTube)
On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor -- code designed to prevent reverse-engineering or analysis -- for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).
The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising -- adverts that lead to malicious websites or downloads -- as well as YouTube how-to videos focused on game modding that link to malicious content.
There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars -- only propelled further with the emergence of competitive e-sports -- and so some gamers will go so far as to purchase cheats to give them an edge.
Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.
The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend.
Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms.
The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants.
screenshot-2021-03-31-at-11-00-30.png
Cisco Talos
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.
"As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees," the researchers say. "Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job."