Microsoft warns of malware campaign with gaming tools

Microsoft is warning of a campaign that promises gaming tools in the browser and on chat platforms but delivers malware. If victims execute the malicious software, it installs a Remote Access Trojan (RAT) that gives attackers full access to the computer.

This was reported by Microsoft's Threat Intelligence team on Bluesky, among others. It involves “trojanized” gaming tools. Specifically, Microsoft names the executable files “RobloxPlayerBeta.exe” and “xeno.exe”. The former file bears the name of a legitimate Roblox executable, while the latter is said to be an “executer” used to optimize and “improve” Roblox games.

Downloaders and Malware Instead of Gaming Tools

Microsoft does not clearly state whether the alleged gaming tools also provide the expected functions to disguise their malicious intent or exclusively initiate the infection process. After starting the file, the malware downloads a portable Java runtime environment and uses it to start a malicious Java archive (.jar) named “jd-gui.jar.” The downloader relies on PowerShell commands and Living-off-the-Land binaries (LOLBins), i.e., commands that Windows already includes by default. It uses, for example, “cmstp.exe,” which can be used to install profiles in the Connection Manager service. .inf files, which in turn contain malicious commands and load and execute DLLs from remote servers, can be passed to the command. This may bypass security measures, as cmstp.exe is a legitimate Microsoft file.

The malware also attempts to evade detection by deleting the initial downloader and setting up exceptions in Windows Defender settings for the RAT components. Persistent installation is also part of the malware's repertoire. It adds a scheduled task and a startup script named “world.vbs.” In the end, it has anchored a multipurpose malware that functions as a loader, starter, downloader, and RAT. Microsoft names the IP address of the command-and-control server as 79.110.49[.]15, but this can change. From there, attackers can trigger various actions, such as data theft or the installation of further malware.

Microsoft recommends monitoring outgoing connections to the IP address and setting up alerts for downloads of java.zip or jd-gui.jar from non-company resources. Admins should also look out for associated processes and components. IT managers should also check exceptions in Windows Defender and scheduled tasks for random names and remove malicious tasks and startup scripts. Admins should also isolate affected devices and reset the credentials of users on the compromised machine. Microsoft also lists hash values of suspicious files and connections to powercat[.]dog/Port 443 as Indicators of Compromise (IOC).

Cybercriminals have gamers in their sights permanently. As early as last year, perpetrators tried to lure victims on Discord servers with supposed beta tests for games. However, the executable files only installed info-stealers.

(dmk)