Sites with cheats for games distribute users to the load Trojan crypto miner

A new modular trojan downloader in JavaScript has appeared on the Internet. Currently, it can be obtained along with the crypto miner ad the load to the cheats for video games.

Windows malware, code-named MonsterInstall, is notable for using Node.js as the runtime environment.

Doctor Web specialists discovered and analyzed an unusual sample.

As it turned out, attackers distribute MonsterInstall from their sites with cheats to popular games (registered in .RU and .COM), and also infect files on other resources of the same profile.

“By requesting a cheat, the visitor receives a password-protected archive with a loader program. “When users attempt to download a cheat, they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components”, — researchers says.

Testing has shown that this executable file loads not only the desired content, but also Trojan components: installer, backdoor, update module, cryptocurrency miner.

“Bonus” malware is installed in the system as a Windows service and is prescribed for autorun using the Windows Scheduler. After launching, MonsterInstall first refers to, or to get the current date. It then collects information about the system and sends it to the command server.

Response contains links to resources with working modules, but the trojan first compares the value of the dataTime parameter with the current date. If the difference is more than a week, he will not execute commands. Otherwise, it loads the necessary components and launches them for execution.

The module responsible for deploying the miner terminates the xmr, xmr64 and windows-update processes (if they are running), and also once again collects information about the system and sends it to its server. In response, he receives the configuration data, saves it as a JSON file, and starts mining the cryptocurrency – TurtleCoin.

“Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month”, – also note the researchers.

MonsterInstall is not the first malware attacking gamers. Four months ago, for example, a large-scale campaign revealed that authors which actively advertised mobile version of the multiplayer game Apex Legends, as well as aimbits and cheats. Distributed by fraudsters links actually led to malicious sites.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply