Cisco Talos recently revealed a new campaign targeting video game players and other PC modders. They detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications.
What is a Cryptor?
The cryptor uses Visual Basic 6 along with shellcode and process injection techniques.It is difficult to dissect and could pose a challenge for security analysts not familiar with Visual Basic 6.
These types of attacks are a return to form for classic virus campaigns — video game players are no strangers to trying to avoid malicious downloads while trying to change the game they’re playing.
How Did It Work?
Video game players may choose to download certain cheats or modifications to change the way some games are presented. The adversaries use this gaming and OS modding tools to attach hidden malware to infect their victims.
Experts observed several small tools looking like game patches, tweaks or modding tools, but backdoored with malware obfuscated with this cryptor.
Therefore defenders need to be continuously vigilant and monitor the behaviour of systems within their network.
A Serious Threat to the Enterprise Networks
The attackers in this case used video game-modding tools to trick users into executing malware droppers. This goes to show how dangerous it is to install random software from questionable sources.
This threat used a complex VisualBasic-based cryptor to hide its final payload. The dropper injected code into a new process to hide its final payload against simple anti-malware tools. The majority of malware is constantly improving its infection techniques.
Since workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees.
Employees will at times download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job. This is a serious threat to enterprise networks.
With the work from home trend not likely to end any time soon, there’s a highly increased use of private PC equipment to connect into company networks — this is a serious threat to enterprise networks.
Companies must ensure their workers are only downloading software from trusted sources. Due to the huge amount of documentation of obfuscation techniques, also easy and cheap access to cryptors, the common threats today are more sophisticated than they’ve been in the past.
The adversaries combine clever techniques to make detection harder. It’s more important to have a multi-layered security architecture in place to detect these kinds of attacks. Experts say these campaigns and the refinement of the TTPs being used will likely continue for the foreseeable future.