According to a report by Kaspersky laboratories, a large-scale campaign dubbed Starydobry was launched on the last day of 2024, targeting users of popular torrent trackers. The cybercriminals behind the campaign took advantage of the festive season when users’ vigilance tends to decrease and activity on file-sharing networks increases. Over the course of a month-long attack, users worldwide, including those in Russia, Belarus, Kazakhstan, Germany, and Brazil, fell victim to the infection.
The hackers distributed trojanized versions of well-known games like Beamng.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. The malicious versions of these games had been uploaded to torrent trackers as early as September 2024, with their downloading activation timed for New Year’s Eve. Consequently, unsuspecting users who downloaded these games also unwittingly acquired a hidden XMRIG miner along with the installation files.
Once the infected installer was launched, a sophisticated code activated, comprising multiple layers of detection mechanisms. The malware scanned the environment for debugging activities, analyzed system parameters, and concealed its presence effectively. The primary objective of the attack was to harness the computing power of infected machines for the purpose of mining the cryptocurrency Monero (XMR).
During the installation phase, the malware utilized RAR libraries for file extraction, verified the victim’s IP address, and transmitted the system fingerprint to the command server. Subsequently, the MTX64 bootloader was decrypted and executed, camouflaging itself as system files. Following this, an executable Kickstarter file was deployed, replacing resources to obfuscate the presence of malicious code.
The culmination of the infection process involved the installation of XMRIG, which operated covertly in the background using the victim’s processor resources for mining. To evade detection, the program monitored running processes and terminated its operation upon detecting tools like TASK Manager or Process Monitor.
While individual users bore the brunt of the attack, corporate systems were also at risk of infiltration as the miner could potentially spread through infected employee devices. Nevertheless, organizations were not the primary targets of the attackers. As of now, there is no conclusive evidence pointing to the identity of the perpetrators behind this campaign. This incident serves as a stark reminder of the dangers associated with downloading content from untrustworthy sources.