Players of the popular first person shooter Counter Strike: Global Offensive (CS: GO) got more than they bargained for if they looked to download an app which allows users to cheat. The app modified to operate on macOS would also download and install a cryptocurrency miner unbeknownst to the cheater. The age old lesson of “Cheaters never prosper” is most apt in this situation as those looking to cheat would be aiding hackers in accruing Monero, a favoured cryptocurrency of hackers worldwide because of its increased anonymity features.
Players looking to get a leg up on their competition in a less than an ethical way by downloading the vHook app from the website vlone.cc. The original version of vHook was not Mac compatible but was advertised on YouTube. The latest version is based on the original vHook, termed Barbarossa, and was modified by a GitHub user going by “fetusfinn”. It appears as though the GitHub user was also the one who added the cryptocurrency miner to the code. The evidence for this resides in the use of the OSX.Pwnet.A miner that features debugger symbols that seem to reference the user name, Finn.
When users registered on vlone.cc and downloaded either the free or paid version of vHook were infected with OSX.Pwnet.A miner. The potential cheaters were soon turned to malware victims, however, the infection process was neither straightforward nor automatic. User’s needed to put in their root user password before installing the app. Given that users paying for and downloading the app for the purpose of cheating, they probably entered their root password without a second thought.
SentinelOne researcher Arnaud Abbati has confirmed that the Monero miner is linked to two email addresses registered with MinerGate. It has also been seen that the above-mentioned cryptocurrency miner is a modified version of the minergate-cli package which is written in the Qt framework. One of the addresses has also been linked to another macOS malware collecting Monero funds.
Counter-Strike users have been targeted previously
This is not the first time Counter-Strike players have been targeted by hackers. Towards the end of 2016 players looking for an advantage might have gotten a nasty surprise just in time for Christmas of that year. Players downloading and installing a cheat tool discovered a nasty booby trap. Once installed the tool acting as a Trojan would overwrite the Master Boot Record (MBR) and prevent the computer from booting in future. This could potentially render an expensive gaming system useless.
The author in this instance was trolling a forum which promotes the downloading of cheats in numerous games. Once the MBR was overwritten the following message would be displayed on the victim's system:
“Multiplayer Game Hacking
As you reboot, you find that something has overwritten your MBR!
It is a sad thing your adventures have ended here.
This is the result of the incompetent file analyzers from MPGH.
If you need cheats, use something else than MPGH.
Greetings from ULLR. <3”
Not only CS: GO players targeted by threat actors
On Tuesday of this week security researcher Tomáš Gardoň, of ESET, found the Joao trojan hidden in illegal copies of Aeria games. The malware was distributed through unofficial websites. The malware downloaded is modular in nature as once downloaded and installed on the victim's system it can then download and virtually install any other malicious code on the victim’s system. The malware was been distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.
In the past several other Aeria games have been abused in a similar way to distribute malware. In the past websites peddling the corrupted versions go inactive or remove the malicious download. In response to the most recent abuse, ESET has blocked the website and notified Aeria games as to the problem.
How does Joao work?
As soon as the game launcher is launched so is Joao’s main component, a malicious library mskdbe.dll, detected by ESET’s systems as Win32/Joao.A. Upon the initial launch the downloader first sends basic information about the victim’s computer. Information such as device name, OS version and information on user privileges is sent to the attacker’s server. The malware runs essentially silently and is very hard to detect as the game runs as it should. It is only when looking in the games installation folder does one see an extra .dll file not seen in the original version.
After the initial communication between the victim’s computer and the attacker’s server, the server applies a set logic on which components to send to the victim’s computer. During ESET’s research components capable of backdoor, spying, and DDoS attacks.
In order to see if your system has been infected, it is advised you a search for “mskdbe.dll”, if the search returns a result, your computer has most likely been infected with the Joao malware. It should be noted that if the search returns no result it does not mean your system is not infected as the attackers can change the file name at any point.
The researcher’s at ESET have advised the following measures when gaming without the worry of threats:
- Only purchase and download games from official sources. The MMORPGs mentioned above may only account for a fraction of the games available for download on unofficial sites which may be compromised.
- Ensure games are kept up to date. Games do have vulnerabilities that can be exploited. Patches are released to prevent the vulnerabilities from being exploited by cyber criminals.
- Use a reliable security solution. This should be kept on when gaming to help ensure you are protected. Gamers are often faced with more than one threat. Remain educated as to potential threats and how they change over time.
While some might think that gamers looking to cheat might deserve the above-mentioned circumstances, the fact remains that the hackers are still leveraging malware illegally for whatever their intended purposes are. These are still instances of cyber-crime and should be treated as seriously as other instances which often grab the headlines.