Derek B. Johnson
They say cheaters never prosper, and new security research indicates that malicious hackers are doing their part to bring that bromide to life for unscrupulous gamers, including those who are downloading trojanized video game cheat mods on their work devices.
Many of the hard lessons these gamers are learning also apply to computer users who download pirated, cracked or modded business software on their devices.
Cisco Talos researchers have identified a years-long hacking campaign that targets mods downloaded and installed by PC gamers to get around in-game physics rules and get a leg up on their competition. The attackers used a new cryptor to obfuscate the malware code they hid in seemingly legitimate files and evade detection from antivirus software.
In gaming, it’s common for communities of players to alter or reprogram code in the “vanilla” or base version of their favorite video games in order to tweak the physics engine, re-skin environments and otherwise break the established rules of the in-game world to gain a competitive advantage. These mods are then offered or sold online, with gamers often stumbling upon “how-to” videos on YouTubes that link to popular game mods and provide instructions for installing them.
These programs are often riddled with malware, and Cisco Talos security researcher Holger Unterbrink said in an interview with SC Media that the attackers in this campaign deployed a number of Remote Access Trojans and other forms of malware, like password and information stealers, to infect unsuspecting victims.
While it’s likely that more than a few bratty teenage cheaters were swept up in the campaign, Talos notes that the campaign represents a legitimate security threat for companies when their employees mix business and pleasure on their work devices.
Unterbrink said the popularity of targeting video game mods for malware tends to ebb and flow over time, but that he has noticed an uptick in the volume and amount of malware present in the game mods he’s looked at recently. Video game cheaters can be an attractive target for hackers because they have already demonstrated a willingness to break rules and are perhaps more open to taking risks or downloading programs from questionable sources.
While he is hoping to compile more hard data on the volume and prevalence of such attacks, Unterbrink said he suspects the increased activity he’s seen is related to the onset of the coronavirus pandemic over the past year.
“I think the key message is definitely, thanks to COVID and dramatic increase of people who are working from home, that people are infecting themselves on PCs with this kind of malware… and then they are dialing into their corporate networks with an infected machine,” said Unterbrink.
The Cisco Talos research comes in the same week that gaming giant Activision released its own report detailing very similar activity affecting its Call of Duty franchise. The company found postings on hacking forums and YouTube as recently as April 2021 by an unnamed threat actor promoting a Remote Access Trojan, suggesting the best way to spread it is to advertise it as a cheat mod and offering detailed instructions that could “allow for even unsophisticated threat actors to have a step-by-step guide on utilizing this technique against unsuspecting cheat seekers.”
This approach carries two main benefits. First, it provides a plausible excuse to urge users to disable their antivirus software, since that is often the first step to installing a cheating mod. Secondly, it replaces much of the legwork that goes into a hacking operation with a simple and straightforward social engineering approach. For the fake Call Of Duty cheat, the advertisements “did not appear to be particularly clever or take much effort” and yet still got plenty of engagement from users interested in the mod.
“Instead of malicious actors putting in hours of work creating complicated mitigation bypasses or leverages existing exploits, they can instead work to create convincing cheat advertisements, which if priced competitively, could potentially get some attention,” Activision wrote.
It’s not just video games that pose a threat to corporate networks. Any kind of pirated, cracked or modded software suffers from many of the same general risks and threats. Last year, Cybereason researchers identified a campaign by hackers to leverage flaws in BitBucket’s storage platform in order to update malware and infect users who downloaded cracked or pirated versions of commercially available software like Microsoft Word and Adobe Photoshop.
Unterbrink said the threat businesses face from unlicensed, malware-laced versions of commercial software is serious, both because of the potential damage to work systems and networks and because of the lack of visibility organizations have around what their employees and downloading and installing.
Some companies have very strict policies and monitoring around installing unlicensed software on work devices, while others have more relaxed rules and procedures. This means there are likely a number of businesses who have been hit by a modded software attack and aren’t aware of it.
“I think enterprise networks and companies really have to be aware of that,” said Unterbrink. “It is highly possible that someone with an infected machine is connecting into their network.”