Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack

Users who are on the lookout for popular games were lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Windows hosts.

The large-scale activity has been codenamed StaryDobry by Russian cybersecurity company Kaspersky, which first detected it on December 31, 2024. It lasted for a month.

Targets of the campaign include individuals and businesses worldwide, with Kaspersky’s telemetry finding higher infection concentrations in Russia, Brazil, Germany, Belarus, and Kazakhstan.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity,” researchers Tatyana Shishkova and Kirill Korchemny said in an analysis published Tuesday.

The XMRig cryptocurrency miner campaign employs popular simulator and physics games like BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to initiate a sophisticated attack chain.

This involves uploading poisoned game installers crafted using Inno Setup onto various torrent sites in September 2024, indicating that the unidentified threat actors behind the campaign had carefully planned the attacks.

Users who end up downloading these releases, also called “repacks” are served an installer screen that urges them to proceed with the setup process, during which a dropper (“unrar.dll”) is extracted and executed.

The DLL file continues its execution only after running a series of checks to determine if it’s running in a debugging or sandboxed environment, a demonstration of its highly evasive behavior.

Subsequently, it polls various sites like api.myip [.]com, ip-api [.]com, and ipwho [.]is to obtain the user’s IP address and estimate their location. If it fails in this step, the country is defaulted to China or Belarus for reasons that are not wholly clear.

The next phase entails gathering a fingerprint of the machine, decrypting another executable (“MTX64.exe”), and writing its contents to a file on disk named “Windows.Graphics.ThumbnailHandler.dll” in either the %SystemRoot% or %SystemRoot%\Sysnative folder.

Based on a legitimate open-source project called EpubShellExtThumbnailHandler, MTX64 modifies the Windows Shell Extension Thumbnail Handler functionality for its own gain by loading a next-stage payload, a portable executable named Kickstarter that then unpacks an encrypted blob embedded within it.

The blob, like in the previous step, is written to disk under the name “Unix.Directory.IconHandler.dll” in the folder %appdata\Roaming\Microsoft\Credentials\%InstallDate%\.

The newly created DLL is configured to retrieve the final-stage binary from a remote server that’s responsible for running the miner implant, while also continuously checking for taskmgr.exe and procmon.exe in the list of running processes. The artifact is promptly terminated if any of the processes are detected.

The miner is a slightly tweaked version of XMRig that uses a predefined command line to initiate the mining process on machines with CPUs that have 8 or more cores.

“If there are fewer than 8, the miner does not start,” the researchers said. “Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.”

“XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage.”

StaryDobry remains unattributed given the lack of indicators that could tie it to any known crimeware actors. That said, the presence of Russian language strings in the samples alludes to the possibility of a Russian-speaking threat actor.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.