Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Cracked Garry’s Mod, BeamNG.drive games infect gamers with miners

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 01-09-2025, 07:08 AM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default

A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
These titles are top-rated games with hundreds of thousands of 'overwhelmingly positive' reviews on Steam, making them good targets for malicious activity.
It's worth noting that a laced Beamng mod was https://www.reddit.com/r/BeamNG/comm...ossible_by_an/ as the initial access vector for a https://www.bleepingcomputer.com/new...-25gb-of-data/ in June 2024.
According to https://securelist.com/starydobry-ca...rrents/115509/, the StaryDobry campaign started in late December 2024 and ended on January 27, 2025. It mostly impacted users from Germany, Russia, Brazil, Belarus, and Kazakhstan.
The threat actors uploaded infected game installers onto torrent sites in September 2024, months in advance, and triggered the payloads within the games during the holidays, making detection less likely.

StaryDobry campaign timeline
StaryDobry infection chain
The StaryDobry campaign used a multi-stage infection chain culminating with an XMRig cryptominer infection.
Users downloaded the trojanized game installers from torrent sites, which appeared normal, including the actual game they were promised, plus malicious code.

One of the malicious torrents used in the campaign
During the game's installation, the malware dropper (unrar.dll) is unpacked and launched in the background, and it checks if it's running on a virtual machine, sandbox, or debugger before proceeding.
The malware demonstrates highly evasive behavior, terminating immediately if it detects any security tools, possibly to avoid harming the torrent's reputation.

Anti-debug checks
Next, the malware registers itself using 'regsvr32.exe' for persistence and collects detailed system information, including OS version, country, CPU, RAM, and GPU details, and sends it to the command and control (C2) server at pinokino[.]fun.
Eventually, the dropper decrypts and installs the malware loader (MTX64.exe) in a system directory.
The loader poses as a Windows system file, engages in resource spoofing to appear legitimate, and creates a scheduled task to persist between reboots. If the host machine has at least eight CPU cores, it downloads and runs an XMRig miner.
The XMRig miner used in StaryDobry is a modified version of the Monero miner that constructs its configuration internally before execution and does not access arguments.
The miner maintains a separate thread at all times, monitoring for security tools running on the infected machine, and if any process monitoring tools are detected, it shuts itself down.
The XMRig used in these attacks connects to private mining servers instead of public pools, making the proceeds harder to trace.
Kaspersky has not been able to attribute the attacks to any known threat groups but notes that it likely originates from a Russian-speaking actor.
"StaryDobry tends to be a one-shot campaign. To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games," concluded Kaspersky.
"This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity."
https://www.bleepingcomputer.com/new...s-with-miners/
 

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 05:26 PM.

Contact Us - Carder.life - Archive - Top