A new report from Cisco Talos warns of cybercriminals who are targeting gamers with game tweaks, patches, and cheats infected with backdoor malware that steals information from infected machines.
The attackers distribute fake mods via social media channels and YouTube how-to videos.
Cisco Talos researchers report that multiple campaigns are distributing malicious tools that are presented as game patches, tweaks, or mods but contain obfuscated malware.
“Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes… The cryptor uses Visual Basic 6 along with shellcode and process injection techniques,” the researchers said in a report published today.
Game cheats and mods are a known threat and have been used to infect gamers with remote malware like access trojans and cryptocurrency miners.
One of the malware strains deployed on infected computers in the current campaign is a commercial remote access trojan XtremeRAT (aka ExtRat), known since at least 2010. By using XtremeRAT its operators can steal documents from compromised systems, log keystrokes, capture screenshots, record audio, and more.
The threat actors avoid detection and hide the final payload by using a complex VisualBasic 6 cryptor and shellcode. They also made detection harder for some anti-malware tools by hiding malware in the final payload. Malware droppers deployed on victims’ machines hide the malicious code in new processes by employing process injection techniques.
Cisco Talos calls this campaign a serious threat not only to individuals but to companies, as employees working remotely now will download game mods and compromise machines with corporate files on them.
“With the work from home trend not likely to end any time soon, there’s a highly increased use of private PC equipment to connect into company networks — this is a serious threat to enterprise networks,” Cisco Talos concluded.
“Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job.”