As part of our 2024 Cyber Smart Week blog series, our security team share their thoughts and analysis of stealer malware being distributed through YouTube...
A Reason to Play Fair
Online gaming has firmly established itself as a beloved pastime for current generations. With more people participating than ever before, games have become intensely competitive. This competition extends beyond professional streaming and e-sports, reaching leagues of average players who seek the approval of their peers and a personal sense of achievement.
Just as we see on sports fields (yes, outside, where the grass is), the relentless pursuit of victory can drive players to turn to ethically questionable methods to tilt the competition in their favour. While those in the know may turn to reputable cheat vendors, many others seek guidance from social media and streaming platforms like YouTube.
As mentioned in the previous blog post in the 2024 Cyber Smart Week series, all roads eventually lead to Lumma Stealer — and this journey is no different. Cheating can lead to severe consequences, far beyond just being banned from your favorite game.
Preface: Medibank Breach
In late 2022, Australian private health insurer Medibank suffered a major data breach, involving the theft of nearly 520GB of data. As could be expected for such an organisation, this included highly confidential documents such as the intimate medical records of their customers. The threat actor, BlogXX (said to be a relaunch of REvil), contacted Medibank between the 19th and 22nd of October, threatening to publish the data if their ransom demand of US$10m was not met. Medibank took the firm stance of refusing to pay the ransom, and subsequently segments of the data were published to their data leak site between the 9th November and 1st December.
On January 23rd 2024, the Australian government announced sanctions against a Russian national, Aleksandr Gennadievich Ermakov (aka, JimJones), for his role in the attack. A court filing was then made in June by the Australian Information Commissioner that provided the public with insight into how the intrusion occurred. On pages 2 and 3 it was described:
- A Medibank contractor, who held the role of IT Service Desk Operator, had his username and password for Medibank systems saved in his personal internet browser on his work device. By signing into his internet browser on this personal device, the Medibank credentials were synced across to this device too.
- The contractor held both standard and elevated accounts, and the elevated account had access to most (or all) of Medibank’s systems.
- On or around 7th August 2022, the personal computer of the contractor was affected by malware, resulting in compromise of all saved credentials.
- On the 12th August, the Medibank credentials were tested against Medibank’s Exchange server, and on or around the 23rd August they were used to authenticate against Medibank’s Global Protect VPN. At this point in time, MFA was not required to log onto the VPN.
Inde Security assesses with high confidence that this malware was an information stealer like Redline, Raccoon or Vidar.
This is certainly not the only example of an incident originating from the use of corporate accounts on personal devices, where security standards are typically much more relaxed. In home settings, access may also be shared with other individuals who have lower security awareness. The two use cases are completely incompatible.
Samples
Drawing upon the dozens of cases we’ve responded to where compromise has originated on a personal device, stealer malware delivered under the guise of game cheats have frequently been identified as the root cause. Below we’ll look at a few examples, all of which take from the top of the YouTube search results for common search teams, proving you do not need to venture far to land yourself in trouble.
"fortnite hack"
More than just a game, Fortnite is a cultural powerhouse that is dear to people of all ages. The first page of results for the search “fortnite hack” on YouTube presents thumbnails with vibrant colors, bold text and channels with upwards of 10k subscribers:
Like many of the results, the first presents a tool called “Verus”, and describes it as “Best Fortnite Cheat”:
Interestingly, another top result by another channel offers a different tool called “Collapse” – which is hosted on a different domain, but a near identical site:
Analysis of Collapse found it to have slightly different archive contents, but it still shared the same C2 server as Verus. For the sake of avoiding duplication, we’ll just look at the Verus sample.
All sites found within this cluster are protected by Cloudflare, helping to fend off automated analysis by services like URLScan:
Verus claims to offer cheats for multiple games, including Fortnite, Modern Warfare 3, and Counter Strike 2:
Despite this offering, the page of each game contains the same basic content:
They present a ZIP password (a red flag in itself) and a download link:
While Verus downloaded directly from the site, Collapse was downloaded from MediaFire. All archives have been in the region of 60MB in size.
As noted above, the archives are password protected:
Contents of the ZIP appear plausible and what you could expect of a cheat tool:
The “Configs” folder serves as an explanation for the size of the archive, with up.dll being 46MB:
However, all of the DLL files are invalid and are entirely filled with a repeating word:
The main EXE, while signed, has an invalid signature:
Execution of the EXE commences the infection, checking in to the Lumma C2 server and exfiltrating credentials:
The active C2 for this cluster of samples was colldycatle[.]cyou:
"mw3 aimbot"
Another favourite of gamers is the Call of Duty series, with the most recent multiplayer version being Modern Warfare 3. Aimbots are a popular variety of cheat in shooter games that are used to automatically aim a players weapon at other players on the map, regardless of their position on the map. A search for “mw3 aimbot” on YouTube returns similar results to the Fortnite search: vivid colors, exciting gameplay captures, bold text, and equally bold claims such as “BEST MW3 WARZONE CHEAT”:
Taking that third result, the video gets off to a great start with instruction to completely disable Defender antivirus:
This demonstration is for “Fusion Hacks” (or “FusionLoader”), which is again delivered in a password protected archive:
The download is served off-site, from MediaFire:
This extracts similar content to the previous sample, but instead bundles a compete Java Runtime Environment install to pad the size of the archive out:
The FusionLoader executable is also found to have an invalid signature:
Running the executable checks into the Lumma C2 server and ships the credential package:
The C2 server for this sample was ostracizez[.]sbs:
Artifacts
Indicators of Compromise
Artifact |
Type |
Value |
Verus Cheats site |
Domain |
|
Verus.exe |
SHA256 |
|
Verus.exe (unpacked) |
SHA256 |
b7f8e6e05d26a30f7cec47ba9942bb3ba3cdb13352a79c98a0118a01eefce225 |
Collapse Launcher site |
Domain |
|
Collapse.exe |
SHA256 |
|
Collapse.exe (unpacked) |
SHA256 |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
FusionLoader site |
Domain |
|
FusionLoader v2.1.exe |
SHA256 |
|
FusionLoader v2.1.exe (unpacked) |
SHA256 |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Lumma C2 |
Domain |
|
Samples
- Verus: https://app.any.run/tasks/dc9701aa-7d41-45a1-8d70-6afd1b53dea9
- Collapse: https://app.any.run/tasks/9f875f2c-5d2a-4746-85bd-3326f74d4e3f
- FusionLoader: https://app.any.run/tasks/9d574dcb-5114-4785-b32f-93e3bb3265a0
Response
At Home
- Microsoft Defender is perfectly adequate if properly configured. It will offer you better coverage than many paid products. The same principles as enterprise XDR apply, which includes:
- Enabling anti-tamper functionality.
- Avoiding exclusions wherever possible and defining exclusions as specifically possible where a conflict between software and the security platform is identified. Never define broad exclusions, including those that apply to entire drives or profiles, file-types or system applications that could be abused as a LOLBIN.
- Only download software from reputable sources, e.g., Steam, Epic Games Store, GOG, and Microsoft Store. Do not trust downloads linked to from social media.
- Use a reputable password manager (e.g., 1Password or Proton Pass) and avoid saving passwords in browsers.
- Configure phishing resistant MFA solutions, such as Windows Hello or FIDO2 security keys. If a site doesn't support these, MFA is still better than no MFA.
- Keep work functions and data off of personal devices.
At Work
- Configure best practice Conditional Access policy. Shorten user sessions to minimise the length of time a token is viable for, and consider previewing Microsoft's Token Protection capability. Restrict app access for devices that are not enrolled.
- Implement strict security boundaries within your Azure and Active Directory environments.
- Manage your vendors and contractors:
- Set account lifetime to the minimum required. You can always extend it.
- Leverage Privileged Identity Management to assign roles and require approval as needed.
- Do not permit direct connection to internal resources from unmanaged devices. Require the use of jumphosts that you control and/or a Privileged Access Management tool.
COMMENTS