Users who are searching for well-known video games were duped into installing trojanized installers, which resulted in the installation of a crypto miners on hacked Windows hosts.
Russian security firm Kaspersky, which first discovered the large-scale exercise on December 31, 2024, codenamed it StaryDobry. It lasted for a fortnight.
Goals of the plan include individuals and businesses worldwide, with Kaspersky’s monitoring finding higher infection amounts in Russia, Brazil, Germany, Belarus, and Kazakhstan.
In an analysis released on Tuesday, experts Tatyana Shishkova and Kirill Korchemny ,” This strategy helped the threat actors make the most of the miners transplant by targeting powerful gaming devices capable of supporting mine activity.”
Popular model and physics games like BeamNG are used in the XMRig crypto miner campaign. travel, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to start a powerful attack chain.
In September 2024, -created poisoned game technicians were uploaded to several download sites, indicating that the campaign’s unexplained threat actors had carefully planned the attacks.
People who end up downloading these releases, also called “repacks” are served an software display that urges them to deal with the installation process, during which a drop ( “unrar. dll” ) is extracted and executed.
As a result of its very evasive conduct, the DLL file only continues to execute after performing a number of checks to determine whether it is running in a troubleshooting or sandboxed environment.
Consequently, it polls numerous sites like api. myip [. ] com, ip-api [. ] com, and ipwho [. ] is to obtain the user’s IP address and measure their site. For undetermined motives, the nation defaults to China or Belarus if this action is unsuccessful.
Next, fingerprinting the machine and decrypting another executable ( “MTX64″ ) are required. exe” ), and writing its contents to a file on disk named” Windows. Graphics. ThumbnailHandler. dll” in either the %SystemRoot % or %SystemRoot %Sysnative folder.
By loading a next-stage load, a compact file named Kickstarter, and therefore unpacking an encrypted puddle embedded within it, MTX64 modifies the Windows Shell Extension Thumbnail Handler features for its own gain.
The puddle, like in the previous step, is written to drive under the name” Unix. Directory. Icon Handler. dll” in the folder %appdataRoamingMicrosoftCredentials % InstallDate % .
The newly developed DLL is set up to grab the miner implant’s final stage linear from a remote server while also checking for taskmgr frequently. files and procmon. files in the list of running techniques. If any of the techniques are found, the object is immediately put an end to.
The worker is a slightly modified version of XMRig that uses a specified command line to start the mining operation on computers with CPUs that have 8 or more cores.
” If there are fewer than 8, the miner does not start”, the researchers said. Additionally, the attacker didn’t use a public network, so they instead chose to host a mining pool server on their own.
“XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread using the same technique as in the previous stage to check for process monitors running in the system.
Given the lack of any indicators that might connect StaryDobry to any well-known crimeware actors, it continues to be unattributed. Having said that, the presence of Russian language strings in the samples suggests that there might be a Russian-speaking threat actor.