Threat Actors Trojanize Popular Versions of Games To Infect Systems Bypassing Evasion Techniques

In a sophisticated cyberattack campaign dubbed “StaryDobry,” threat actors have exploited popular games to distribute malicious software, targeting users worldwide. The campaign, first detected on December 31, 2024, leveraged trojanized versions of games such as BeamNG.drive, Garry’s Mod, and Dyson Sphere Program, distributed via torrent sites. These repackaged games contained a hidden payload designed to […] The post Threat Actors Trojanize Popular Versions of Games To Infect Systems Bypassing Evasion Techniques appeared first on Cyber Security News.

Feb 19, 2025 - 08:58

Threat Actors Trojanize Popular Versions of Games To Infect Systems Bypassing Evasion Techniques

In a sophisticated cyberattack campaign dubbed “StaryDobry,” threat actors have exploited popular games to distribute malicious software, targeting users worldwide.

The campaign, first detected on December 31, 2024, leveraged trojanized versions of games such as BeamNG.drive, Garry’s Mod, and Dyson Sphere Program, distributed via torrent sites.

These repackaged games contained a hidden payload designed to bypass detection and install a cryptominer on victims’ systems.

The attackers capitalized on the holiday season’s surge in torrent activity, uploading these malicious game installers as early as September 2024.

While the security analysts at Securelist identified that the victims were primarily located in Russia, Brazil, Germany, Belarus, and Kazakhstan.

The malware’s primary goal was to deploy the XMRig cryptominer, exploiting the high-performance hardware of gaming systems to mine cryptocurrency.

Execution of The Trojanized Installer

The infection chain begins with a seemingly legitimate installer created using Inno Setup. Upon execution, the installer decrypts and extracts malicious files using the AES algorithm with a hard-coded key.

Key components include the unrar.dll dropper, which decrypts and executes additional payloads while evading detection by performing anti-debugging checks.

Anti-debug checks example (Source – Securelist)

These checks scan for sandbox environments or debugging tools like taskmgr.exe and procmon.exe. If detected, the malware halts execution.

The malware collects system fingerprints by retrieving parameters such as MachineGUID, memory size, processor count, and GPU details.

This information is encoded in Base64 and sent to a command-and-control (C2) server.

The malware then creates two files: %SystemRoot%\%hash%.dat (storing the fingerprint) and %SystemRoot%\%hash%.efi (a decoy file). Here the decompiled installer code responsible for these actions.

Decompiled Installer Code (Source – Securelist)

The final payload, MTX64.exe, is decrypted using AES-128 and disguised as legitimate Windows DLL files by spoofing resource properties such as CompanyName and FileVersion.

The malware further obfuscates its presence by altering file creation timestamps.

The XMRig miner implant constructs a predefined command line based on system specifications.

It avoids execution on systems with fewer than eight CPU cores, ensuring optimal mining performance.

Unlike typical mining campaigns that use public pools, this operation hosted its own mining infrastructure to evade detection.

To maintain stealth, the attackers employed DNS-over-HTTPS (DoH) for encrypted communication with their C2 servers.

This tactic obscured network traffic from traditional monitoring tools, complicating detection efforts.

By exploiting user trust in popular games and employing advanced evasion techniques, threat actors have demonstrated their ability to infiltrate systems undetected while maximizing financial gain through cryptomining.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Threat Actors Trojanize Popular Versions of Games To Infect Systems Bypassing Evasion Techniques appeared first on Cyber Security News.