By exploiting user trust in popular games and employing advanced evasion techniques, threat actors have demonstrated their ability to infiltrate systems undetected while maximizing financial gain through cryptomining. In a sophisticated cyberattack campaign dubbed “StaryDobry,” threat actors have exploited popular games to distribute malicious software, targeting users worldwide. The campaign, first detected on December 31, 2024, leveraged trojanized versions of games such as BeamNG.drive, Garry’s Mod, and Dyson Sphere Program, distributed via torrent sites. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These repackaged games contained a hidden payload designed to bypass detection and install a cryptominer on victims’ systems. These checks scan for sandbox environments or debugging tools like taskmgr.exe and procmon.exe. If detected, the malware halts execution. The final payload, MTX64.exe, is decrypted using AES-128 and disguised as legitimate Windows DLL files by spoofing resource properties such as CompanyName and FileVersion. Upon execution, the installer decrypts and extracts malicious files using the AES algorithm with a hard-coded key. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attackers capitalized on the holiday season’s surge in torrent activity, uploading these malicious game installers as early as September 2024. The malware’s primary goal was to deploy the XMRig cryptominer, exploiting the high-performance hardware of gaming systems to mine cryptocurrency. Key components include the unrar.dll dropper, which decrypts and executes additional payloads while evading detection by performing anti-debugging checks. The malware collects system fingerprints by retrieving parameters such as MachineGUID, memory size, processor count, and GPU details. It avoids execution on systems with fewer than eight CPU cores, ensuring optimal mining performance. While the security analysts at Securelist identified that the victims were primarily located in Russia, Brazil, Germany, Belarus, and Kazakhstan. Unlike typical mining campaigns that use public pools, this operation hosted its own mining infrastructure to evade detection.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 21:15:15 +0000