Doctor Web specialists discovered and analyzed an unusual sample.
As it turned out, attackers distribute MonsterInstall from their sites with cheats to popular games (registered in .RU and .COM), and also infect files on other resources of the same profile.
“By requesting a cheat, the visitor receives a password-protected archive with a loader program. “When users attempt to download a cheat, they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components”, — researchers says.
Testing has shown that this executable file loads not only the desired content, but also Trojan components: installer, backdoor, update module, cryptocurrency miner.
“Bonus” malware is installed in the system as a Windows service and is prescribed for autorun using the Windows Scheduler. After launching, MonsterInstall first refers to google.com, yandex.ru or www.i.ua to get the current date. It then collects information about the system and sends it to the command server.
Response contains links to resources with working modules, but the trojan first compares the value of the dataTime parameter with the current date. If the difference is more than a week, he will not execute commands. Otherwise, it loads the necessary components and launches them for execution.
The module responsible for deploying the miner terminates the xmr, xmr64 and windows-update processes (if they are running), and also once again collects information about the system and sends it to its server. In response, he receives the configuration data, saves it as a JSON file, and starts mining the cryptocurrency – TurtleCoin.
“Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month”, – also note the researchers.
MonsterInstall is not the first malware attacking gamers. Four months ago, for example, a large-scale campaign revealed that authors which actively advertised mobile version of the multiplayer game Apex Legends, as well as aimbits and cheats. Distributed by fraudsters links actually led to malicious sites.
Source: https://www.bleepingcomputer.com
About Franoapas.co.in Franoapas.co.in pop-ups can not launch out of nowhere. If you have clicked on…
About News-xwamovi.cc News-xwamovi.cc pop-ups can not open out of nowhere. If you have clicked on…
About Happybase.xyz Happybase.xyz pop-ups can not introduce out of nowhere. If you have clicked some…
About Kentosim.xyz Kentosim.xyz pop-ups can not expose out of nowhere. If you have actually clicked…
About News-xhunoyi.cc News-xhunoyi.cc pop-ups can not launch out of nowhere. If you have actually clicked…
About Pectorsed.com Pectorsed.com pop-ups can not expose out of the blue. If you have clicked…