Trojanized installers were duped into downloading favorite games, which resulted in the installation of a cryptocurrency miner on affected Windows hosts.
Russian security firm Kaspersky, which first discovered the large-scale action on December 31, 2024, codenamed it StaryDobry. It lasted for a fortnight.
Goals of the plan include individuals and businesses worldwide, with Kaspersky’s monitoring finding higher infection concentrations in Russia, Brazil, Germany, Belarus, and Kazakhstan.
Tatyana Shishkova and Kirill Korchemny, researchers from Tatyana Shishkova and Kirill Korchemny in an analysis published on Tuesday that this technique helped the threat actors make the most of the miners transplant by focusing on strong gaming machines capable of supporting mining activity.
Utilizing favorite model and physics games like BeamNG, the XMRig bitcoin miner strategy. travel, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to start a powerful attack chain.
In this case, poisoned game technicians created with are being uploaded to several download sites in September 2024, indicating that the campaign’s unexplained threat actors had carefully planned the attacks.
Users who end up downloading these releases, also called “repacks” are served an installer screen that urges them to proceed with the setup process, during which a dropper ( “unrar. dll” ) is extracted and executed.
The DLL file only continues to execute after performing a number of checks to determine whether it is running in a debugging or sandboxed environment, a sign of its highly evasive behavior.
Subsequently, it polls various sites like api. myip [. ] com, ip-api [. ] com, and ipwho [. ] is to obtain the user’s IP address and estimate their location. If it doesn’t succeed in this step, the nation is defaulted to China or Belarus for reasons that aren’t entirely clear.
Next, the next step involves obtaining a copy of the computer and encrypting another executable ( “MTX64 .” ). exe” ), and writing its contents to a file on disk named” Windows. Graphics. ThumbnailHandler. dll” in either the %SystemRoot % or %SystemRoot %Sysnative folder.
By loading a next-stage payload, a portable executable named Kickstarter, and then unpacking an encrypted blob embedded within it, MTX64 modifies the Windows Shell Extension Thumbnail Handler functionality for its own gain.
The blob, like in the previous step, is written to disk under the name” Unix. Directory. Icon Handler. dll” in the folder %appdataRoamingMicrosoftCredentials % InstallDate % .
The newly developed DLL is set up to retrieve the final-stage binary from a remote server that runs the miner implant while also checking for taskmgr frequently. exe and procmon. exe in the list of running processes. If any of the processes are found, the artifact is immediately ended.
The miner, which has been slightly modified, uses a predefined command line to start the mining process on computers with CPUs with 8 or more cores.
” If there are fewer than 8, the miner does not start”, the researchers said. Additionally, the attacker chose to host a mining pool server on their own infrastructure as opposed to a private one.
“XMRig parses the constructed command line using its built-in functionality. The miner also employs the same technique as in the previous stage to create a separate thread to check for process monitors running in the system.
Given the lack of any indicators that might connect StaryDobry to any well-known crimeware actors, it continues to be unattributed. Having said that, the presence of Russian language strings in the samples suggests that there might be a threat actor from Russia.