Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Gaming Malware. Show all posts

Hackers Make Fake Cthulhu Website to Distribute Malware


Fake Cthulhu website spreads malware 

Threat actors have made a fake 'Cthulhu World ' play-to-earn community, this includes websites, social accounts, a medium developer site, and Discord groups to spread the Raccoon stealer, AsyncRAT, and Redline password stealing malware on innocent targets.

As play-to-earn communities have risen in popularity, threat actors and scammers constantly attack these new platforms for suspicious activities. 

The same applies to a new malware distribution campaign found by cybersecurity expert "iamdeadlyz", where hackers made an entire project to advertise a fake play-to-earn game known as Cthulhu World.

Hackers promote the fake project 

To publicize the 'project,' hackers send direct messages to users on Twitter asking if they wish to perform a test of their new game. In return of testing and promoting the game, the hackers promise of rewarding in Ethereum. 

When a user visits cthulhu-world.com site (currently down), users are welcomed with a well designed website, it includes information about the project and an interactive map of the game's environment.

But, it is a fake site which is a copy of the original Alchemic World Project, which has warned its users to stay aware of the fake project. Someone made a fake account for our project, and copied the website, and all social media.

Experts say to "stay away"

"STAY AWAY this account and don't follow them. All their assets were stolen from our project," Tweeted Alchemic World. 

The Cthulhu World website is also different in some ways, for instance, when a user clicks the upper right-hand corner arrow on the website, the site brings them to a webpage requesting a "code" to download the "alpha" test of the project.

The hackers then distribute these codes to potential victims as a part of their DM conversations on Twitter. The access code list can be found on the site's source code. 

3 downloaded files contain the malware 

On the basis of the code entered, one of the three files is downloaded from the DropBox. All of these three files will install different malware, which allows the threat actor to pick and choose how they want to attack a particular victim. 

The three malware found by AnyRun installs are Raccoon Stealer, AsyncRAT, and RedLine Stealer.

"As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam," says Bleeping Computer.

 
The Cthulhu World Website is currently shut down, but their Discord is up and running. It isn't clear if users on this Discord are aware that a website is sharing malware, however, few users have full faith that it is a genuine project.

How to protect yourself?

If you visited Cthulhu-world.com and installed any of their softwares, the user should immediately remove any items found and run an antivirus scan on the system right away.

You should also note that these malware infections can steal your cookies, crypto wallets, and saved passwords, you should reset all passwords and make a new wallet to import all the cryptocurrency.

The best way to protect yourself is to reinstall your system from scratch, as these malware infections give full access to an infected computer, and other suspicious malware can be installed.


Malicious PyPI Packages Surface, Attack Discord and Roblox


About PyPI Packages

10 malicious software packages were found in the Python Package Index (PyPI) repository, a week later, many others have come to surface, found by different firms. 

It has become a kind of whack-a-mole drill, taking out malicious codes only to find more taking its place. In the disclosure of last week, Check Point researchers discovered Trojanized packages imitating authentic components, it contained droppers for data stealing malware. 

This compelled Kaspersky researchers to further investigate the open source repository, which resulted in finding two more rogue offerings, known as "pyrequests" and "ultrarequests," that turned out to be one of the most famous popular packages in PyPI (simply known as "requests"). 

How did the attack happen?

Checkpoint says "Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.What many users are not aware is the fact that this one liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a setup.py script."

The threat actor used a description of authentic "requests" package to fool victims into downloading harmful ones. The description includes false faked stats, saying the package was installed more than 230 million times in a month, having more than 48,000 stars on GitHub. 

The project description also hints towards web pages of legitimate requests package, along with the author's email. All mentions of orginal requests package have been interchanged with the names of malicious ones. 

Attackers target Discord and Roblox

When installed, it results in a W4SP Stealer infection, via which actors can extract Discord tokens, passwords, and saved cookies from browsers in seperate threads. 

Whereas, experts at Snyk earlier this week released findings about around 12 malicious PyPI packages that steal Discord and Roblox users' login credentials and payment details. Kyle Suero, Snyk's leading researcher, the malware also tries to steal Google Chrome data or pilfer passwords and bookmarks from Windows systems, pivoting through all the accounts. 

"Another interesting thing about this malware is that it is actually using Discord resources to distribute executables. Although this practice is not new, seeing cdn.discord.com tipped off our security researchers. The binaries are pulled down to the host via the Discord CDN," says Snyk.

The malicious packages have been wiped out from PyPI, but they don't have any idea about the number of times they were downloaded prior to that. Code repository attacks keep rising, as per ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase. 

"If we keep ignoring the core problem, that is trusting the code, we can't handle software supply chain security," says Tomislav Peričin, co-founder and chief software architect at ReversingLabs in the report. 






Microsoft Admits of Signing a Rootkit Malware

 

Earlier this month, Microsoft signed a driver called Netfilter that turned out to be a malicious network filter rootkit. Krasten Hahn, a G data malware analyst, first identified the rootkit which he later traced, analyzed, and identified as bearing Microsoft’s seal. 

When Microsoft researchers analyzed the rootkit, it was found that it communicated with Chinese command-and-control IPs (C2) and as it turns out, these belong to one of the companies called Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. and was labeled as 'Community Chinese Military' by the United States Department of Defense. 

Microsoft said that the threat actor’s goal is to cheat gaming systems. “To use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” according to Microsoft’s advisory. 

The company collaborated with Microsoft to analyze and patch any known security holes, including for affected hardware. Users will get clean drivers through Windows Update. Moreover, they added that the rootkit only works if a user authorizes the driver and it obtains administrator-level access on a PC to install the driver. The idea is that Netfilter won’t pose a threat to your PC unless you go out of your way to install it. 

On Friday, Microsoft acknowledged the mistake, saying that the security experts are monitoring the whole incident and have added malware signatures to Windows Defenders. The company has also shared the signatures with security companies. As of Monday morning, 35 security vendors had flagged the file as malicious.

The company has suspended the account and is reviewing the malware signs. However, the actor’s activity is limited to the gaming sector specifically in China, and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time, the company revealed.