A new JavaScript-based and modular Trojan has been found that is disguised and distributed to victims in the form of game cheats on websites owned and operated by its developers. The new Trojan, called MonsterInstall, uses Node.js to execute itself onto users’ systems. When a user attempts to download the cheat, they are also downloading a zip archive that contains an executable file that, once opened, will download the requested cheats alongside the Trojan’s components. After the Trojan launches, MonsterInstall will gain persistence by adding itself to the computer’s autorun so that when an infected system is rebooted it will start automatically. MonsterInstall will begin collecting system info and send it back to its Command and Control server (C&C). MonsterInstall also downloads a crypto miner to the victim’s system that mines TurtleCoin and sends it back to the C&C. Gamers have been and will continually be targeted by attackers for a multitude of reasons. Gamers traditionally have advanced machines that possess a large amount of processing power which is an opportune target for crypto mining attacks.
Analyst Notes
If a user downloads a cheat to their system, then the downloaded file should be run through an anti-virus system that can detect and defend from these types of files.
