Doctor Web specialists discovered and analyzed an unusual sample.
As it turned out, attackers distribute MonsterInstall from their sites with cheats to popular games (registered in .RU and .COM), and also infect files on other resources of the same profile.
“By requesting a cheat, the visitor receives a password-protected archive with a loader program. “When users attempt to download a cheat, they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components”, — researchers says.
Testing has shown that this executable file loads not only the desired content, but also Trojan components: installer, backdoor, update module, cryptocurrency miner.
“Bonus” malware is installed in the system as a Windows service and is prescribed for autorun using the Windows Scheduler. After launching, MonsterInstall first refers to google.com, yandex.ru or www.i.ua to get the current date. It then collects information about the system and sends it to the command server.
Response contains links to resources with working modules, but the trojan first compares the value of the dataTime parameter with the current date. If the difference is more than a week, he will not execute commands. Otherwise, it loads the necessary components and launches them for execution.
The module responsible for deploying the miner terminates the xmr, xmr64 and windows-update processes (if they are running), and also once again collects information about the system and sends it to its server. In response, he receives the configuration data, saves it as a JSON file, and starts mining the cryptocurrency – TurtleCoin.
“Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month”, – also note the researchers.
MonsterInstall is not the first malware attacking gamers. Four months ago, for example, a large-scale campaign revealed that authors which actively advertised mobile version of the multiplayer game Apex Legends, as well as aimbits and cheats. Distributed by fraudsters links actually led to malicious sites.