Customers who’re looking out for fashionable video games have been lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Home windows hosts.
The big-scale exercise has been codenamed StaryDobry by Russian cybersecurity firm Kaspersky, which first detected it on December 31, 2024. It lasted for a month.
Targets of the marketing campaign embrace people and companies worldwide, with Kaspersky’s telemetry discovering larger an infection concentrations in Russia, Brazil, Germany, Belarus, and Kazakhstan.
“This strategy helped the risk actors take advantage of out of the miner implant by focusing on highly effective gaming machines able to sustaining mining exercise,” researchers Tatyana Shishkova and Kirill Korchemny stated in an evaluation revealed Tuesday.
The XMRig cryptocurrency miner marketing campaign employs fashionable simulator and physics video games like BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to provoke a classy assault chain.
This includes importing poisoned recreation installers crafted utilizing Inno Setup onto varied torrent websites in September 2024, indicating that the unidentified risk actors behind the marketing campaign had fastidiously deliberate the assaults.
Customers who find yourself downloading these releases, additionally known as “repacks” are served an installer display that urges them to proceed with the setup course of, throughout which a dropper (“unrar.dll”) is extracted and executed.
The DLL file continues its execution solely after working a sequence of checks to find out if it is working in a debugging or sandboxed setting, an indication of its extremely evasive habits.
Subsequently, it polls varied websites like api.myip [.]com, ip-api [.]com, and ipwho [.]is to acquire the consumer’s IP tackle and estimate their location. If it fails on this step, the nation is defaulted to China or Belarus for causes that aren’t wholly clear.
The following section entails gathering a fingerprint of the machine, decrypting one other executable (“MTX64.exe”), and writing its contents to a file on disk named “Home windows.Graphics.ThumbnailHandler.dll” in both the %SystemRoot% or %SystemRootpercentSysnative folder.
Based mostly on a authentic open-source undertaking known as EpubShellExtThumbnailHandler, MTX64 modifies the Home windows Shell Extension Thumbnail Handler performance for its personal achieve by loading a next-stage payload, a conveyable executable named Kickstarter that then unpacks an encrypted blob embedded inside it.
The blob, like within the earlier step, is written to disk below the identify “Unix.Listing.IconHandler.dll” within the folder %appdataRoamingMicrosoftCredentialspercentInstallDate%.
The newly created DLL is configured to retrieve the final-stage binary from a distant server that is accountable for working the miner implant, whereas additionally repeatedly checking for taskmgr.exe and procmon.exe within the listing of working processes. The artifact is promptly terminated if any of the processes are detected.
The miner is a barely tweaked model of XMRig that makes use of a predefined command line to provoke the mining course of on machines with CPUs which have 8 or extra cores.
“If there are fewer than 8, the miner doesn’t begin,” the researchers stated. “Furthermore, the attacker selected to host a mining pool server in their very own infrastructure as an alternative of utilizing a public one.”
“XMRig parses the constructed command line utilizing its built-in performance. The miner additionally creates a separate thread to examine for course of screens working within the system, utilizing the identical methodology as within the earlier stage.”
StaryDobry stays unattributed given the dearth of indicators that would tie it to any identified crimeware actors. That stated, the presence of Russian language strings within the samples alludes to the potential for a Russian-speaking risk actor.