Cyber Threats in the Festive Season
In a recent report from Kaspersky Lab, a significant campaign known as StaryDobry has been identified, targeting users of popular torrent trackers. This operation commenced on the last day of 2024, strategically timed during the holiday season when user vigilance tends to wane and file-sharing activity surges. Over the course of a month, this attack affected users globally, with notable incidents reported in Russia, Belarus, Kazakhstan, Germany, and Brazil.
Cybercriminals have ingeniously transformed well-known games into vehicles for cryptocurrency mining. They disseminated trojanized versions of popular titles such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. These malicious copies were uploaded to torrent trackers as early as September 2024, but their downloads peaked around the New Year festivities. Consequently, unsuspecting users who downloaded these games inadvertently installed a hidden miner—a software program designed to extract cryptocurrency by performing complex mathematical operations using the computer’s processing power.
Among the malware utilized in this campaign was XMRig, a software specifically designed for mining Monero (XMR). This tool is frequently exploited by malicious actors to conduct cryptocurrency mining without the consent of the device owner.
The execution of the infected installer triggered a sophisticated sequence of code execution, incorporating multiple layers of detection evasion. The malware was programmed to check the environment for debugging tools, analyze system parameters, and conceal its presence effectively. The primary objective of this attack was to mine Monero by harnessing the computational resources of the compromised machines.
During installation, the malware employed RAR libraries to extract files, checked the victim’s IP address, and sent system fingerprints to a command server. Subsequently, it decrypted and launched the MTX64 loader, which masqueraded as system files. This was followed by the execution of a kickstarter file that altered resources to further obscure the presence of the malicious code.
The final phase of the infection involved the installation of XMRig, which operated in the background, utilizing the victim’s CPU resources for mining activities. To evade detection, the program scrutinized the list of running processes and terminated itself if it identified any analysis tools such as Task Manager or Process Monitor.
This incident has implications beyond individual users, extending to corporate systems where the miner could infiltrate through compromised employee devices. However, organizations were not the primary targets of the attackers. As of now, there is no confirmed information regarding the individuals or groups behind this campaign. This attack serves as a stark reminder of the risks associated with downloading content from untrusted sources.
