Activision, the company behind Call of Duty: Warzone and Guitar Hero series, is warning gamers that a threat actor is advertising cheat tools that deliver remote-access trojan (RAT).
The company reported that in March of 2020 a threat actor posted on multiple hacking forums advertising a free, “newbie friendly” and effective method for spreading a RAT by tricking victims to disable their protections to install a
video game cheat.
“It is common practice when configuring a cheat program to run it the with the highest
system privileges. Guides for cheats will typically ask users to disable or uninstall antivirus software and host
firewalls, disable kernel code signing, etc.” reads the report published by Activision.
The ads published by the actor received ten thousand views and the actor also shared a file needed to set up the fake cheat used to distribute malware tracked by the experts as “COD-Dropper v0.1”..
In December 2020, threat actor included the dropper in a tutorial aimed at ‘noobies’ looking to make some easy money.”
On March 1st, the threat actor published a YouTube video advertising the COD Warzone 2020 as an “undetected” cheat and providing detailed instructions on how to use it.
The comments to the video show that people tried the cheat tool.
Once installed the malware, the attackers have full access to the victim’s system, it could be used to drop additional payloads. The attacks observed by Activision used a .NET app dropper that once downloaded will ask the victim to grant admin privileges to install the malicious cheat tool.
“Once the payload has been saved to disk, the application creates a VBScript named ‘CheatEngine.vbs’. It then
starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable.” continues the report.
“It then starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable. The creator/generator is a .NET executable that contains the dropper .NET executable as a resource object.”
The creator/generator is a .NET executable that contains the dropper .NET. Upon clicking on ‘:: Build ::’, the application will inspect the ‘COD_bin’ object with the ‘dnlib’ .NET assembly library, then replaces the URL placeholder named ‘[[URL]]’ with the provided URL that point to the malicious payload and saves the ‘COD_bin’ resource under a new filename.
“When it comes down to it, the dependencies for a “genuine” cheat to work are the same as those needed by
most malware tools to successfully execute. System protections need to be bypassed or disabled, and privileges
need to be escalated to allow the program to run correctly and/or establish persistence.” concludes the report that includes IoCs. “While this method is rather simplistic, it is ultimately a social engineering technique that leverages the willingness of its target (players that want to cheat) to voluntarily lower their security protections and ignore warnings about running potentially malicious software.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Call of Duty cheat tool)