Users keeping an eye on popular games have been invited to download a troiler installer that led to the deployment of cryptocurrency miners on compromised Windows hosts.
The large-scale activity is called Starydobry by the Russian cybersecurity company Kaspersky, which first detected on December 31, 2024. It lasted for a month.
The campaign’s goals include individuals and businesses around the world, with Kaspersky’s telemetry finding higher infection concentrations in Russia, Brazil, Germany, Belarus and Kazakhstan.
“This approach helped threat actors make the most of miners’ implants by targeting powerful gaming machines that can maintain mining activities,” says researchers Tatyana Shishkova and Kirill Korchemny said in an analysis released Tuesday.
Xmrig Cryptocurrency Miner Campaign employs popular simulators and physics games such as Beamng.Drive, Garry’s Mod, Dyson Sphere program, Universe Sandbox, and Plutocracy as lures to launch sophisticated attack chains.
This includes uploading addictive game installers set up on various torrent sites using Inno setups in September 2024, with the unidentified threat actors behind the campaign carefully planning the attacks. It shows that.
Users who end up downloading these releases, also known as “repacks,” will be provided with an installer screen to encourage them to proceed with the setup process.
The DLL file only continues running after performing a series of checks to determine whether it is running in a debug or sandbox environment. This is a demonstration of highly evasive behavior.
After that, vote for various sites like api.myip [.]com, ip-api [.]com, and ipwho [.]It involves obtaining the user’s IP address and estimating its location. If this step fails, the country will default to China or Belarus for reasons that are not entirely clear.
The next step is to collect the machine’s fingerprints, decrypt another executable file (“MTX64.EXE”), and write its content to a file on a disk named “windows.graphics.thumbnailhandler.dll”. %\sysnative folder.
MTX64 gains its own gain by modifying the Windows Shell Extension thumbnail handler functionality to load the next step-by-step payload, based on a legitimate open source project called Epubshelxthumbnailhandler.
The blob will be written to disk with the name “unix.directory.iconhandler.dll” in the folder %appdata\roaming\microsoft\currents\%installdate%\, as in the previous step.
The newly created DLL is configured to retrieve the final stage binaries from the remote server responsible for running minor implants, and continuously check taskmgr.exe and procmon.exe in the list of running processes. . If any of the processes are detected, the artifact will immediately terminate.
Minor is a slightly tuned version of Xmrig that uses a pre-defined command line to start the mining process on a machine using a CPU with eight or more cores.
“If it’s below 8, the miners won’t start,” the researcher said. “In addition, instead of using what’s publicly available, the attacker chose to host a mining pool server on his infrastructure.”
“Xmrig analyzes command lines built using built-in features. The miners use the same methods as the previous stage to check the process monitors running on the system. I’ll also create a thread.”
Starydobry is still not undertaken given the lack of indicators that can be linked to known Crimeware actors. However, the presence of Russian strings in the sample implies the possibility of a threatening Russian-speaking actor.
Source link
