Full Report
Kaspersky GReAT experts have discovered a new campaign distributing the XMRig cryptominer through popular games such as BeamNG.drive and Dyson Sphere Program on torrent trackers.
Analysis Summary
# Tool/Technique: XMRig Cryptominer delivered via StaryDobry Campaign
## Overview
This entry summarizes a mass infection campaign launched on December 31, 2024, that distributed the **XMRig cryptominer** hidden within trojanized versions of popular games spread via torrent sites. The campaign, detected by Kaspersky and tracked as **Trojan.Win64.StaryDobry** variants, aimed to exploit reduced user vigilance during the New Year holiday.
## Technical Details
- Type: Malware (Cryptominer delivered via Trojan Dropper/Installer)
- Platform: Windows (Inferred from installer details: Windows 32-bit GUI executable)
- Capabilities: Initial installation via Inno Setup wrapper, environment checks (anti-debug/sandbox evasion), user fingerprinting, IP address collection, C2 communication, and deployment of a hidden cryptomining implant.
- First Seen: December 31, 2024
## MITRE ATT&CK Mapping
The analysis describes several stages which map to the following general techniques:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Distribution via torrents of trojanized software)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Decryption of DLLs, packed execution)
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Implied by anti-sandbox checks)
- **TA0004 - Privilege Escalation** (Potentially via installer mechanisms)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (HTTP used for C2 interaction/fingerprinting)
*(Note: Specific T-numbers for advanced extraction and process manipulation were not listed but are implied by the execution chain.)*
## Functionality
### Core Capabilities
- **Distribution:** Spreading through trojanized high-demand games (e.g., *BeamNG.drive*, *Garry’s Mod*) distributed on torrent trackers.
- **Installer Mechanism:** Uses an Inno Setup created GUI executable installer that presents legitimate installation options.
- **Malicious Payload Extraction:** Decrypts and extracts necessary components (`unrar.dll`) using an AES key (`cls-precompx.dll`).
- **System Fingerprinting:** Collects machine details (MAC, machine ID, username, OS, memory, processor count, video details) and game ID into a Base64 encoded string.
- **Persistence/Dropping:** Creates two files in `%SystemRoot%` using a hash derived from the MachineGUID: `%hash%.dat` and `%hash%.efi`.
### Advanced Features
- **Anti-Analysis/Evasion:** Performs checks for debugging environments (debuggers, sandboxes) by searching for specific modules in processes, registry keys, and file systems, terminating execution if detected.
- **Geolocation Check:** Attempts to determine the user's country by querying multiple IP lookup services. If detection fails, it defaults to country codes `CN` or `BY` (China or Belarus).
- **C2 Communication for Fingerprint:** Sends collected machine and infection metadata to `hxxps://pinokino[.]fun/donate_button/` endpoint, using `DST_1448` as a game variant identifier and the determined country code in the payload.
## Indicators of Compromise
- File Hashes: (Not provided in article)
- File Names: `%hash%.dat`, `%hash%.efi` (where `%hash%` is 10 characters derived from SHA256(MachineGUID))
- Registry Keys: `HKLM\Software\Microsoft\Cryptography` (for MachineGUID access)
- Network Indicators:
- `api.myip[.]com`
- `ip-api[.]co`
- `ipapi[.]co`
- `freeipapi[.]com`
- `ipwho[.]is`
- `api.miip[.]my`
- Command & Control: `pinokino[.]fun` (defanged)
- Behavioral Indicators: Use of `regsvr32.exe` to register `unrar.dll`; creation of files in `%SystemRoot%` using GUID-derived hashes.
## Associated Threat Actors
- Currently unidentified actor, noted as targeting individuals and businesses globally, including Russia, Brazil, Germany, Belarus, and Kazakhstan.
- Kaspersky detection names: **Trojan.Win64.StaryDobry.\***, **Trojan-Dropper.Win64.StaryDobry.\***, **HEUR:Trojan.Win64.StaryDobry.gen**.
## Detection Methods
- Signature-based detection: Kaspersky products identify the threat using the naming conventions listed above.
- Behavioral detection: Monitoring for the execution chain involving Inno Setup installers, runtime decryption of DLLs, anti-analysis checks, and anomalous network connections to IP lookup services or the known C2 server.
- YARA rules: (Not provided in article)
## Mitigation Strategies
- **Prevention:** Exercise extreme caution when downloading software, particularly "repacks" or cracked games, from unofficial torrent sources.
- **Hardening:** Ensure security products are updated to detect the known detection signatures (StaryDobry variants). Implement application control to restrict execution from temporary directories or non-standard locations.
## Related Tools/Techniques
- The final payload is an **XMRig cryptominer** (commonly used for Monero mining).
- The use of an Inno Setup wrapper for malicious payload delivery is a common technique among commodity malware distributors.