Chris Campbell Oct 24, 2024 49 min read

A Cheater's Dilemma

As part of our 2024 Cyber Smart Week blog series, our security team share their thoughts and analysis of stealer malware being distributed through YouTube... 

A Reason to Play Fair

Online gaming has firmly established itself as a beloved pastime for current generations. With more people participating than ever before, games have become intensely competitive. This competition extends beyond professional streaming and e-sports, reaching leagues of average players who seek the approval of their peers and a personal sense of achievement.

Just as we see on sports fields (yes, outside, where the grass is), the relentless pursuit of victory can drive players to turn to ethically questionable methods to tilt the competition in their favour. While those in the know may turn to reputable cheat vendors, many others seek guidance from social media and streaming platforms like YouTube.

As mentioned in the previous blog post in the 2024 Cyber Smart Week series, all roads eventually lead to Lumma Stealer — and this journey is no different. Cheating can lead to severe consequences, far beyond just being banned from your favorite game.

Preface: Medibank Breach

In late 2022, Australian private health insurer Medibank suffered a major data breach, involving the theft of nearly 520GB of data. As could be expected for such an organisation, this included highly confidential documents such as the intimate medical records of their customers. The threat actor, BlogXX (said to be a relaunch of REvil), contacted Medibank between the 19th and 22nd of October, threatening to publish the data if their ransom demand of US$10m was not met. Medibank took the firm stance of refusing to pay the ransom, and subsequently segments of the data were published to their data leak site between the 9th November and 1st December.

On January 23rd 2024, the Australian government announced sanctions against a Russian national, Aleksandr Gennadievich Ermakov (aka, JimJones), for his role in the attack. A court filing was then made in June by the Australian Information Commissioner that provided the public with insight into how the intrusion occurred. On pages 2 and 3 it was described:

  • A Medibank contractor, who held the role of IT Service Desk Operator, had his username and password for Medibank systems saved in his personal internet browser on his work device. By signing into his internet browser on this personal device, the Medibank credentials were synced across to this device too.
  • The contractor held both standard and elevated accounts, and the elevated account had access to most (or all) of Medibank’s systems.
  • On or around 7th August 2022, the personal computer of the contractor was affected by malware, resulting in compromise of all saved credentials.
  • On the 12th August, the Medibank credentials were tested against Medibank’s Exchange server, and on or around the 23rd August they were used to authenticate against Medibank’s Global Protect VPN. At this point in time, MFA was not required to log onto the VPN.

Inde Security assesses with high confidence that this malware was an information stealer like Redline, Raccoon or Vidar.

This is certainly not the only example of an incident originating from the use of corporate accounts on personal devices, where security standards are typically much more relaxed. In home settings, access may also be shared with other individuals who have lower security awareness. The two use cases are completely incompatible.

Samples

Drawing upon the dozens of cases we’ve responded to where compromise has originated on a personal device, stealer malware delivered under the guise of game cheats have frequently been identified as the root cause. Below we’ll look at a few examples, all of which take from the top of the YouTube search results for common search teams, proving you do not need to venture far to land yourself in trouble.

"fortnite hack"

More than just a game, Fortnite is a cultural powerhouse that is dear to people of all ages. The first page of results for the search “fortnite hack” on YouTube presents thumbnails with vibrant colors, bold text and channels with upwards of 10k subscribers:

CS blog 4 - pic 1

Like many of the results, the first presents a tool called “Verus”, and describes it as “Best Fortnite Cheat”:

CS blog 4 - pic 2

Interestingly, another top result by another channel offers a different tool called “Collapse” – which is hosted on a different domain, but a near identical site:

CS blog 4 - pic 3

Analysis of Collapse found it to have slightly different archive contents, but it still shared the same C2 server as Verus. For the sake of avoiding duplication, we’ll just look at the Verus sample.

All sites found within this cluster are protected by Cloudflare, helping to fend off automated analysis by services like URLScan:

CS blog 4 - pic 4

Verus claims to offer cheats for multiple games, including Fortnite, Modern Warfare 3, and Counter Strike 2:

CS blog 4 - pic 5

Despite this offering, the page of each game contains the same basic content:

CS blog 4 - pic 6

They present a ZIP password (a red flag in itself) and a download link:

CS blog 4 - pic 7 - full

While Verus downloaded directly from the site, Collapse was downloaded from MediaFire. All archives have been in the region of 60MB in size.

As noted above, the archives are password protected:

CS blog 4 - pic 8

Contents of the ZIP appear plausible and what you could expect of a cheat tool:

CS blog 4 - pic 9

The “Configs” folder serves as an explanation for the size of the archive, with up.dll being 46MB:

CS blog 4 - pic 10

However, all of the DLL files are invalid and are entirely filled with a repeating word:

CS blog 4 - pic 11

The main EXE, while signed, has an invalid signature:

CS blog 4 - pic 12

Execution of the EXE commences the infection, checking in to the Lumma C2 server and exfiltrating credentials:

CS blog 4 - pic 13

The active C2 for this cluster of samples was colldycatle[.]cyou:

CS blog 4 - pic 14

"mw3 aimbot"

Another favourite of gamers is the Call of Duty series, with the most recent multiplayer version being Modern Warfare 3. Aimbots are a popular variety of cheat in shooter games that are used to automatically aim a players weapon at other players on the map, regardless of their position on the map. A search for “mw3 aimbot” on YouTube returns similar results to the Fortnite search: vivid colors, exciting gameplay captures, bold text, and equally bold claims such as “BEST MW3 WARZONE CHEAT”:

CS blog 4 - pic 15

Taking that third result, the video gets off to a great start with instruction to completely disable Defender antivirus:

CS blog 4 - pic 16

This demonstration is for “Fusion Hacks” (or “FusionLoader”), which is again delivered in a password protected archive:

CS blog 4 - pic 17

The download is served off-site, from MediaFire:

CS blog 4 - pic 18

This extracts similar content to the previous sample, but instead bundles a compete Java Runtime Environment install to pad the size of the archive out:

CS blog 4 - pic 20

The FusionLoader executable is also found to have an invalid signature:

CS blog 4 - pic 21

Running the executable checks into the Lumma C2 server and ships the credential package:

CS blog 4 - pic 22

The C2 server for this sample was ostracizez[.]sbs:

CS blog 4 - pic 23

Artifacts

Indicators of Compromise

Artifact

Type

Value

Verus Cheats site

Domain

veruscheats[.]site

Verus.exe

SHA256

1bd10e7dd9bafe7bdccf0a27e7c89610d1c9efcaef9a375318cd400dbfa2ac74

Verus.exe (unpacked)

SHA256

 

b7f8e6e05d26a30f7cec47ba9942bb3ba3cdb13352a79c98a0118a01eefce225

Collapse Launcher site

Domain

collapselauncher[.]space

Collapse.exe

SHA256

3ee441207f0caf0556c40b68313886aa11ee3331d2ee1c4b2ea0087b68cbcd31 

Collapse.exe (unpacked)

SHA256

76e6c2e4ff7ae9a2ec02011dcba9866057437f052532d3caeddbf913398fe4cb

Lumma C2

Domain

snailyeductyi[.]sbs

Lumma C2

Domain

ferrycheatyk[.]sbs

Lumma C2

Domain

deepymouthi[.]sbs

Lumma C2

Domain

wrigglesight[.]sbs

Lumma C2

Domain

captaitwik[.]sbs

Lumma C2

Domain

sidercotay[.]sbs

Lumma C2

Domain

heroicmint[.]sbs

Lumma C2

Domain

monstourtu[.]sbs

Lumma C2

Domain

colldycatle[.]cyou

FusionLoader site

Domain

fusionhacks[.]pro 

FusionLoader v2.1.exe

SHA256

e108e3c341322f281440ddfa10143a2481322815d6205c6c1d649c40a78bec30

FusionLoader v2.1.exe (unpacked)

SHA256

e65bd29e354db6f6a370733d1c53b0ed05f0c4bbff401962b9e642dc7a32087c

Lumma C2

Domain

offybirhtdi[.]sbs

Lumma C2

Domain

activedomest[.]sbs

Lumma C2

Domain

arenbootk[.]sbs

Lumma C2

Domain

mediavelk[.]sbs

Lumma C2

Domain

definitib[.]sbs

Lumma C2

Domain

elaboretib[.]sbs

Lumma C2

Domain

strikebripm[.]sbs

Lumma C2

Domain

ostracizez[.]sbs

Lumma C2

Domain

blowwyivot[.]cfd

Samples

Response

At Home
  • Microsoft Defender is perfectly adequate if properly configured. It will offer you better coverage than many paid products. The same principles as enterprise XDR apply, which includes:
    • Enabling anti-tamper functionality.
    • Avoiding exclusions wherever possible and defining exclusions as specifically possible where a conflict between software and the security platform is identified. Never define broad exclusions, including those that apply to entire drives or profiles, file-types or system applications that could be abused as a LOLBIN.
  • Only download software from reputable sources, e.g., Steam, Epic Games Store, GOG, and Microsoft Store. Do not trust downloads linked to from social media.
  • Use a reputable password manager (e.g., 1Password or Proton Pass) and avoid saving passwords in browsers.
  • Configure phishing resistant MFA solutions, such as Windows Hello or FIDO2 security keys. If a site doesn't support these, MFA is still better than no MFA.
  • Keep work functions and data off of personal devices.
At Work
  • Configure best practice Conditional Access policy. Shorten user sessions to minimise the length of time a token is viable for, and consider previewing Microsoft's Token Protection capability. Restrict app access for devices that are not enrolled.
  • Implement strict security boundaries within your Azure and Active Directory environments.
  • Manage your vendors and contractors:
    • Set account lifetime to the minimum required. You can always extend it.
    • Leverage Privileged Identity Management to assign roles and require approval as needed.
    • Do not permit direct connection to internal resources from unmanaged devices. Require the use of jumphosts that you control and/or a Privileged Access Management tool.

But, I Want To Cheat

If you really feel a strong need to cheat, perhaps take the opportunity to make a learning exercise out of it and learn to develop cheats yourself. The skills required are very transferrable.
About the author

Chris Campbell

Chris was that notoriously disobedient kid who sat at the back of the class and always seemed bored, but somehow still managed to ace all of his exams. Obsessed with the finer details and mechanics of everything in both the physical and digital realms, Chris serves as the Principal Security Architect within the Inde Security Team. His ventures into computer security began at an early age and haven't slowed down since. After a decade spent across security and operations, and evenings spent diving into the depths of malware and operating systems, he brings a wealth of knowledge to Inde along with a uniquely adversary focused approach to defence. Like many others at Inde, Chris likes to unwind by hitting the bike trails or pretending to be a BBQ pitmaster. He is also heavily involved in the leadership of security events, trust groups and research projects.

COMMENTS