Intrusions spreading the XMRig cryptocurrency miner via malicious game installers have been deployed against businesses and individuals around the world, especially those in Russia, Belarus, Brazil, Germany, and Kazakhstan, as part of the StaryDobry campaign that ran for a month since the end of December, The Hacker News reports.
Downloading the trojanized installers for the BeamNG.drive, Universe Sandbox, Garry's Mod, Plutocracy, and Dyson Sphere Program games uploaded to torrent sites in September triggers an installer screen luring targets to continue with the setup process when dropper extraction and execution occurs, according to an analysis from Kaspersky. After ensuring its operation in a sandboxed environment, such a DLL dropper conducts machine fingerprinting and executable decryption before eventually creating a new DLL file that would fetch a modified XMRig miner variant, which would only activate cryptomining capabilities in machines with CPUs having at least eight cores. Despite uncertainties regarding the identity of StaryDobry perpetrators, Russian-speaking attackers are suspected to have been behind the campaign after the discovery of Russian language strings in discovered samples.
