Ethical Hacking News
StaryDobry, a large-scale attack involving trojanized game installers that deployed a cryptocurrency miner on compromised Windows hosts, has left cybersecurity experts puzzled. The campaign, which targeted individuals and businesses worldwide, had a notable presence in several countries. Researchers have identified key components of the attack, but the identity of the attackers remains unknown.
The StaryDobry attack campaign was detected by Kaspersky in December 2024, targeting individuals and businesses worldwide with cryptocurrency miner attacks. The attackers used popular games like BeamNG.drive and Garry's Mod as lures to initiate the attack chain. The attack involved deploying trojanized game installers that led to the installation of a cryptocurrency miner on compromised Windows hosts. The attackers employed evasive tactics, such as running checks to determine if they were operating in a debugging or sandboxed environment. The miners used a tweaked version of XMRig and hosted their own mining pool server instead of using a public one. Despite the presence of Russian language strings, the identity of the attackers remains unknown due to the lack of indicators tying them to known crimeware actors.
The world of cybersecurity has witnessed numerous attacks in recent years, with some targeting individuals and businesses worldwide, while others focus on specific industries or sectors. In this article, we will delve into a particularly insidious attack that leveraged popular games to deploy a cryptocurrency miner on compromised Windows hosts. This campaign, dubbed StaryDobry by Russian cybersecurity firm Kaspersky, has left experts scratching their heads in search of clues about the identity of the attackers.
In December 2024, Kaspersky's telemetry detected a surge in activity that would come to be known as StaryDobry. The campaign was characterized by the deployment of trojanized game installers that led to the installation of a cryptocurrency miner on compromised Windows hosts. This attack, which targeted individuals and businesses worldwide, had a notable presence in countries such as Russia, Brazil, Germany, Belarus, and Kazakhstan.
Researchers at Kaspersky identified several key components of the StaryDobry campaign, including popular simulator and physics games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. These games served as lures to initiate a sophisticated attack chain, which involved uploading poisoned game installers crafted using Inno Setup onto various torrent sites in September 2024.
Upon downloading these releases, commonly referred to as "repacks," users were presented with an installer screen urging them to proceed with the setup process. This step was followed by the execution of a dropper (unrar.dll), which continued its execution only after running a series of checks to determine if it was operating in a debugging or sandboxed environment. This demonstrated the highly evasive behavior of the attackers.
The next phase involved gathering a fingerprint of the machine, decrypting another executable (MTX64.exe), and writing its contents to a file on disk named "Windows.Graphics.ThumbnailHandler.dll" in either the %SystemRoot% or %SystemRoot%\Sysnative folder. Based on a legitimate open-source project called EpubShellExtThumbnailHandler, MTX64 modified the Windows Shell Extension Thumbnail Handler functionality for its own gain by loading a next-stage payload, a portable executable named Kickstarter that then unpacked an encrypted blob embedded within it.
The newly created DLL was configured to retrieve the final-stage binary from a remote server responsible for running the miner implant, while continuously checking for taskmgr.exe and procmon.exe in the list of running processes. The artifact was promptly terminated if any of these processes were detected.
The cryptocurrency miner itself was a slightly tweaked version of XMRig that utilized a predefined command line to initiate the mining process on machines with CPUs having 8 or more cores. If there were fewer than 8, the miner did not start. Furthermore, the attackers chose to host their own mining pool server instead of using a public one.
Researchers noted that the presence of Russian language strings in the samples alluded to the possibility of a Russian-speaking threat actor. However, the lack of indicators tying the campaign to any known crimeware actors left the identity of the StaryDobry attackers unknown.
The use of popular games as lures for the attack chain was a deliberate choice made by the attackers. This approach helped them make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity.
As cybersecurity experts continue to monitor the situation and investigate further, one thing is clear: this campaign highlights the ongoing evolution and sophistication of cryptocurrency mining attacks. As users, it is essential to remain vigilant and take proactive measures to protect ourselves against such threats.
Related Information:
https://thehackernews.com/2025/02/trojanized-game-installers-deploy.html
Published: Wed Feb 19 05:05:06 2025 by llama3.2 3B Q4_K_M
