Activision is warning that cyberattackers are disguising malware — a remote-access trojan (RAT) — in cheat programs.
Activision, the company behind Call of Duty: Warzone, has issued a warning that a threat actor is taking out ads for cheat tools, which instead turn out to be remote-access trojan (RAT) malware .
The scam was first floated in March when a cyberattacker posted in hacking forums that they had a free, “newbie-friendly” method for spreading a RAT: Convince victims the malware is a video game cheat, Activision said in its warning.
“It is common practice when configuring a cheat program to run it the with the highest system privileges,” Activision reported. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code-signing, etc.”
At the time, the threat actor also posted the malware file to set up the attack, which received more than 10,000 views and 260 replies, Activision added. The post was followed up with additional instructions in the comments and linked to a YouTube video explainer, which racked up 5,000 views, the report said.
This was the first time researchers were able to identify the malware, which they’ve named “COD-Dropper v0.1”.
“Instead of malicious actors putting in hours of work creating complicated mitigation bypasses or leveraging existing exploits – they can instead work to create convincing cheat advertisements, which if priced competitively, could potentially get some attention,” Activision’s report added. “In December 2020, the dropper was also included in a ‘black hat’ tutorial aimed at ‘noobies’ looking to make some easy money.”
The report points out that many of the cheat forums try and block anything that doesn’t seem genuine, which means the attacker needs to keep a low profile to keep from getting booted.
“This advertisement did not appear to be particularly clever or take much effort, but still had people replying, asking if anyone had tried it before being removed a day later,” the report said.
The same ad has popped back up on the forums and was seen by Activision as recently as March 1. And a YouTube video promising an “undetected” cheat for COD: Warzone has detailed instructions on how to disable antivirus software and run the program as an admin — giving the malware full access to the victim’s system.
“In likely a further attempt to scam people, the description also offered a private version of the cheat for a $10 BTC payment,” the report added.
The comments show that people did try and download the tool.
Another YouTube video pushing the same malware showed up last August, with a direct link to infect the user, which had received 376 views, Activision added.
Activision pointed out that tricking players into downloading the software isn’t a heavy lift.
“While this method is rather simplistic, it is ultimately a social-engineering technique that leverages the willingness of its target (players that want to cheat) to voluntarily lower their security protections and ignore warnings about running potentially malicious software,” Activision added.
Activision explained that the malware is a RAT that gives an attacker full access to the victim’s machine, but it’s also a dropper, which can be customized to install other malicious code on victims’ computers. The observed dropper in this attack is a .NET app that after download will ask the target to agree to giving the bug admin privileges.
“Once the payload has been saved to disk, the application creates a VBScript named ‘CheatEngine.vbs,’” according to the report. “It then starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable. The creator/generator is a .NET executable that contains the dropper .NET executable as a resource object.”
Once the victim clicks on “:: Build ::, the application inspects the ‘COD_bin’ object with the ‘dnlib’ .NET assembly library, it replaces the URL placeholder named ‘[[URL]]’ with the provided URL and saves the ‘COD_bin’ resource under a new filename,” according to the analysis.
Gaming Under Attack
Gaming continues to be a sweet spot for malicious actors looking for a payday. Kaspersky found in a 2020 study that more than 61 percent of gamers reported being targeted by some kind of scam, including ID theft.
The late 2020 release of Cyberpunk 2077 was clobbered by glitches and a ransomware attack. And by February, attackers announced they were ready to hold an auction for the source code for Cyberpunk 2077 and the unreleased version of the Witcher 3 game, for an opening bid of $1 million. It’s not clear whether the threat was genuine or a bluff to get Cyberpunk’s developer, CD Projekt Red to pay its ransom.
In January, more than 500,000 insider-leaked gaming company credentials were up for sale on the dark web. Also in the same month, Campcom, the developer behind Resident Evil, Street Fighter and Dark Stalkers was breached, along with the data of more than 400,000 of its users.
“The video gaming industry is a popular target for various threat actors,” Activision said. “Players as well as studios and publishers themselves are at risk for both opportunistic and targeted cyberattacks – tactics range from leveraging fake APKs of popular mobile games, to compromising accounts for resale. Even [advanced persistent threat] actors have been known to target the video-gaming industry.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)