From December 31, 2024, our telemetry started detecting a big surge within the exercise of the XMRig cryptominer. Whereas many of the malware launches have been detected by dwelling safety options, some have been discovered on company programs. A radical investigation revealed that cybercriminals had been distributing the malware via sport torrents. The assault probably focused avid gamers in varied international locations, together with Russia, Brazil, and Germany. Nevertheless, the cryptominer additionally surfaced on company networks — most likely resulting from workers utilizing work computer systems for private use.
Malicious marketing campaign
The marketing campaign, affectionately named StaryDobry (“the great previous one” in Russian) by our analysts, was fastidiously deliberate: malicious distributions have been created and uploaded to torrent websites between September and December 2024. In fact, the contaminated video games have been repacks — modified variations designed to bypass authenticity checks (in different phrases, cracked).
Customers started downloading and putting in these trojanized video games, and for some time, the malware confirmed no indicators of exercise. However then, on December 31, it acquired a command from the attackers’ distant server, triggering the obtain and execution of the miner on contaminated gadgets. The checklist of trojanized titles included well-liked sim video games comparable to Garry’s Mod, BeamNG.Drive, and Universe Sandbox.
We intently examined a pattern of the malware and found the next:
- Earlier than launching, this system checks whether or not it’s operating in a debugging setting or sandbox. Whether it is, the set up is instantly terminated.
- The miner is a barely modified executable of XMRig, which we coated intimately again in 2020.
- If the contaminated machine has fewer than 8 CPU cores, the miner doesn’t run.
Our merchandise detect the malware used on this marketing campaign as Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, and HEUR:Trojan.Win64.StaryDobry.gen. Extra technical particulars and indicators of compromise will be discovered within the Securelist publication.
Methods to shield your company community from miners
From a company safety perspective, the true concern isn’t simply the malware itself, however the place it was found. A miner in a company community is actually disagreeable — however at the least it doesn’t steal information. Nevertheless, there’s no assure that, subsequent time, a repacked sport received’t be hiding a stealer or ransomware. So long as workers set up pirated video games on work computer systems, gaming-related malware will preserve infiltrating company programs.
Subsequently, the primary advice for info safety personnel is to dam torrents on the safety coverage degree (except, in fact, they’re obligatory on your firm’s enterprise processes). Ideally, all non-work-related software program ought to be utterly prohibited. As well as, we’ve two conventional suggestions:
