Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems.
The attackers mostly use social media channels and YouTube how-to videos for advertising their malware-laced modding-related game tools.
Cisco Talos researchers who spotted multiple campaigns using these tactics said that they’ve “seen several small tools looking like game patches, tweaks or modding tools” backdoored with obfuscated malware.
“These types of attacks are a return to form for classic virus campaigns — video game players are no strangers to trying to avoid malicious downloads while trying to change the game they’re playing,” the researchers said in a report published today.
One of the malware strains deployed on infected gamers’ computers is XtremeRAT (aka ExtRat), a commercially available remote access trojan (RAT) used in targeted attacks and traditional cybercrime since at least 2010.
XtremeRAT allows its operators to exfiltrate documents from compromised systems, log keystrokes, capture screenshots, record audio using webcams or microphones, directly interact with victims via remote shells, and more.
Designed to evade detection
The threat actors use a complex VisualBasic-based cryptor and shellcode to hinder analysis and detection, and hide the final payload deployed in their attacks.
Malware droppers deployed on gamers’ systems who executed the malicious game tools also employ process injection techniques to inoculate the malicious code into newly spawned processes.
This makes detection harder as it allows the malware to hide the final payload from some anti-malware tools.
“With the work from home trend not likely to end any time soon, there’s a highly increased use of private PC equipment to connect into company networks — this is a serious threat to enterprise networks,” Cisco Talos concluded.
“Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job.”
An attractive target
Game cheats are a known source of malware infections and have been used to infect gamers with remote access trojans, cryptocurrency miners, and other malware strains.
But gamers have also been targeted in other, more complex attacks. For instance, last month, ESET researchers discovered that an unknown threat actor compromised the updating mechanism of an Android emulator for Windows and macOS to infect gamers with malware.
Popular games and a gaming platform owned by Asian companies were also hacked after a successful supply-chain attack, allowing the attackers to deploy backdoors on gamers’ systems.
Based on estimations and telemetry data, tens or hundreds of thousands of gamers were infected in this supply-chain attack, given how popular the hacked gaming platform and games were in Thailand, the Republic of the Philippines, and Taiwan.
By Sergiu Gatlan, March 31, 2021, published on BleepingComputer