Old-school gaming consoles are experiencing a resurgence, but in a troubling twist, hackers are adopting similar tactics to lure unsuspecting users. Recently, cybersecurity firm McAfee unveiled a new malware campaign known as “WeedHack.” This sophisticated virus, which emerged in January, operates as a “Malware-as-a-Service” model, allowing users to purchase it for the purpose of infecting potential victims.
WeedHack functions as a standard remote access infostealer. Once a computer is compromised, the malware can manipulate the user’s screen, access their webcam, and siphon off sensitive data. However, its method of propagation is particularly alarming. McAfee reports that users of WeedHack typically entice victims with the promise of unofficial “Minecraft” mods and clients, often found on file hosting sites. They employ videos showcasing these mods as bait, with download links acting as the hook. Anyone who downloads from these sources unwittingly invites the malware into their system. Another common tactic involves “SEO poisoning,” where WeedHack users create their own websites, falsely claiming to be the sole legitimate source for their “clients” or “mods,” and promote these sites on platforms like Discord and Reddit.
How the virus works
The enduring popularity of “Minecraft” makes it an ideal disguise for malicious actors. A recent investigation uncovered over 200 counterfeit apps designed to siphon funds from phone bills through automated subscriptions, with several of these apps masquerading as “Minecraft.” WeedHack takes this deception a step further by utilizing cryptocurrency to infiltrate victims’ computers.
Upon downloading a WeedHack payload, it initially appears as a JAR (Java Archive) file, which is unlikely to raise suspicion since the official “Minecraft” client is also Java-based. However, once executed, the malware transforms into a new executable, decrypting a list of Ethereum server domains and smart contract addresses. These servers host the primary WeedHack payload, which is then installed on compromised computers. Following this initial installation, the malware decompresses its files and begins executing its own scripts. One of WeedHack’s more nefarious tactics is to insert itself into antivirus exclusion lists, allowing it to operate undetected. While Microsoft has claimed that third-party antivirus solutions are unnecessary, McAfee’s tests indicate that Windows Defender is ineffective against WeedHack.
As WeedHack burrows deeper into a victim’s system, it collects extensive information, including connected Wi-Fi networks, browser cookies, and Discord tokens. Ultimately, it establishes remote access features that grant hackers complete control over the infected computer. Once fully integrated, WeedHack operators can surveil users through their webcams, pilfer cryptocurrency wallet credentials, and schedule tasks to ensure the infection persists.
WeedHack is as much a virus as it is a community
While McAfee attributes the malicious code of WeedHack to a single “threat actor,” the virus’s insidious nature lies in its dual role as both malware and a training ground for aspiring hackers. The WeedHack virus is structured into two tiers: the first tier is free and includes the core infostealer capabilities, while users can opt for paid subscriptions starting at per month to unlock additional features such as webcam access and keyloggers. This model mirrors the freemium approach seen in many online games, but the implications are far more serious.
McAfee’s research reveals that a robust community has formed around WeedHack. The original creator offers tutorials on various topics, including how to use WeedHack, select targets, and optimize attacks. Subscribers are treated like friends in a Discord server, with a dedicated website that features a suggestion box for feature requests, a leaderboard encouraging users to maximize their victim count, and a “Build” section where they can create custom WeedHack payloads to infect legitimate Minecraft mods. This community aspect significantly enhances WeedHack’s effectiveness, as it lowers the barrier to entry for newcomers who may lack the technical expertise to engage in such activities. Furthermore, the choice of “Minecraft” as a vector is particularly concerning, as it primarily targets a younger audience that may not fully grasp the importance of online safety.
