Cracked Games, Cryptojacked PCs: The StaryDobry Campaign

On December 31, cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic to distribute the XMRig cryptominer. The attack, which lasted for a month, targeted users worldwide, including in Russia, Brazil, Germany, Belarus, and Kazakhstan, using trojanized versions of popular games.

The campaign relied on distributing cracked versions of popular games via torrent sites. Some of the affected titles included BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. These repacked installers contained a sophisticated infection chain designed to evade detection and deploy the miner implant.

Once a user downloaded and executed the trojanized installer, the malware would initiate a series of steps to extract and execute a malicious payload. The installer, created using Inno Setup, leveraged DLL side-loading techniques to inject the cryptominer into the victim’s system. Kaspersky notes, “Upon unpacking the archive, we found a trojanized installer” that carried out stealthy execution procedures.

The malware employed multiple defense evasion mechanisms, including:

• Anti-debugging checks: “First of all, the sample runs a series of methods to check if it’s being launched in a debugging environment.” The malware scans for sandbox modules and debugger software and terminates execution if detected.
• Geolocation verification: The malware queries multiple IP identification services such as api.myip[.]com and ip-api[.]com to determine the victim’s country. If the query fails, it defaults to China or Belarus as a fallback country code.
• Fingerprinting: The malware collects system information, including machine ID, OS version, memory, and CPU specifications. This data is encoded and sent to a command-and-control (C2) server.

After successfully bypassing security measures, the malware decrypts and deploys MTX64.exe, a loader designed to execute a modified XMRig miner. Kaspersky explains, “The malware retrieves MachineGUID from HKLM\Software\Microsoft\Cryptography and calculates its SHA256 checksum,” which helps it generate unique filenames for its dropped components. The miner then connects to a malicious mining pool server controlled by the attackers.

The mining payload uses custom command-line parameters to optimize CPU usage, ensuring stealthy operation. “Instead of parsing command-line arguments, it constructs a predefined command line,” the report states. Additionally, it monitors for process analysis tools like taskmgr.exe and procmon.exe, terminating itself if they are detected.

The campaign has primarily affected individual users, with some infections reported in corporate environments. “Most of the infections have been observed in Russia, with additional cases in Belarus, Kazakhstan, Germany, and Brazil,” Kaspersky notes.

Attribution remains unclear, though forensic evidence suggests a Russian-speaking actor may be behind the campaign. The report highlights, “There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult.”

Related Posts:

• Cracked Software: A Gateway to Malware and Data Theft
• Microsoft Announces Critical Change to .NET Installer Distribution Domains
• Kaspersky Report: Criminals earning millions through mining malware
• The National Police Agency have the ability to crack iPhone
• Google is strengthening Android security and encourages vendors to strongly encrypt devices