Hackers spread malware to Windows PCs on New Year’s Eve via torrents for several pirated games. They circulated for about a month in a “one-shot campaign,” infecting both consumers and businesses with cryptocurrency mining malware, according to antivirus provider Kaspersky.
The infections arrived through pirated games, including BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. Kaspersky’s investigation found the hackers created and published the trojanized games in September, suggesting the cybercriminals spent months laying the groundwork for their malicious campaign
(Credit: Kaspersky)
On Dec. 31, the trojanized games received a command from the hackers’ servers to download and run a cryptocurrency miner, resulting in the mass infections, Kaspersky said.
The attack first fingerprints the victim machine and determines the country in which it’s based before installing a “slightly modified XMRig miner executable.” The crypto-miner will only activate if the PC has 8 CPU cores or more. If it does, it’ll secretly harness the computing power to generate the Monero cryptocurrency and send it to the hackers’ private mining pool server.
“This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity,” Kaspersky said.
(Credit: Kaspersky)
In addition, the malware is smart enough to terminate itself if the user runs the trojanized game in a debugging environment like a virtual machine. The company also noticed the malware’s computer programming used some Russian language.
Recommended by Our Editors
The discovery is a reminder to be careful around bootleg downloads; hackers often exploit them to circulate malware. But in this case, it doesn’t look like the attack targeted users in North America. Instead, Kaspersky’s antivirus flagged detections mostly in Russia “with additional cases in Belarus, Kazakhstan, Germany, and Brazil.”
Kaspersky adds that the hackers appear to have shut down their campaign on Jan. 27. The company’s antivirus has been updated to detect the threat.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
