A new ransomware uses the executable for the popular video game “Honkai: Star Rail” to help launch itself while avoiding detection.
The ransomware, dubbed “Kransom” and discovered by analysts from ANY.RUN, employs a technique known as dynamic-link library (DLL) side-loading to hijack the execution flow of the legitimate "Honkai: Star Rail" executable, StarRail.exe.
"Honkai: Star Rail" is a popular roleplaying game with about 21 million players. StarRail.exe possesses a valid certificate from the game’s publisher, COGNOSPHERE PTE. LTD., and is not harmful on its own.
However, when the malicious file StarRailBase.dll is installed, launching the game executable will trigger the ransomware to load and begin encrypting the victim’s files. Kransom uses a simple XOR encryption algorithm with the encoder key 0xaa to lock files, the ANY.RUN analysts said in a blog post published Monday.
The ransom note left behind after encryption instructs the victim to contact the game’s developer, Hoyoverse, in a further attempt at impersonation.
DLL-sideloading hijacks trusted applications for stealth
Kransom leverages the video game and its valid certificate to dodge suspicion from both users and antivirus software. This technique makes it less likely that cybersecurity software will detect the malicious code being launched along with the game than if a user directly launches an untrusted, malicious executable.
DLL-sideloading has been used in previous malware campaigns, such as a campaign to spread Qakbot malware in 2022 by sideloading it through the legitimate Windows 7 Calculator app.
Last year, a DLL-sideloading campaign hijacked the execution process of the legitimate business communication software 3CX in a complex supply chain attack. In this case, the 3CX Desktop App itself was compromised, with malicious code embedded in the app itself, leading 3CX to revoke the certificate for the affected versions.
“The targeting of games like 'Honkai: Star Rail' in ransomware attacks suggests a potential risk of threat actors using similar methods with other popular software,” the ANY.RUN analysts wrote.
It is also not uncommon for malware to be spread under the guise of video game cheats, mods, in-game currency or free versions of paid games. Users should be wary about downloading any software from an untrusted source.