A Russian hacker with a knack for modifying popular video games implanted a stealth cryptominer in his creations, including a mod of Grand Theft Auto (GTA) that was recently found on a Russian-speaking forum, available for download.
The malware, known as WaterMiner, is also a mod – in this case, an altered version of a legit open-source miner known as XMRig, according to a Tuesday blog post from Minerva researchers, who shared their findings in advance with SC Media.
Omri Moyal, co-founder and vice president of research at Minerva Labs, said in an interview that the author of the GTA mod and the WaterMiner variant of XMRig are most likely same – a man with the alias "Martin Opc0d3r." Moyal said Opc0d3r left behind certain "breadcrumbs" in his coding that strongly suggest that he's responsible for both mods, noting that the underlying skills needed to crack a video game are "not much different" than required to author malware.
By embedding his cryptominer within modified video games, Opc0d3r is essentially sapping gamers of their computer processing power, using those stolen resources to secretly mine Monero cryptocurrency on the hacker's behalf.
To avoid possible detection, the XMRig was purposefully modified to watch out for any open windows running Windows Task Manager or similar utilities apps that help users determine which active programs are slowing down their machines. When such an app is opened, the mining activity immediately stops. Previous campaigns by the same actor employed malware variants that detected task monitoring apps in a different fashion – by inspecting a machine's running process list.
"It shows the advancement of cryptominers and how they might be used in the future," said Moyal.
According to Moyal, the malicious Grand Theft Auto mod, distributed under the name "Arbuz," specifically capitalizes on a large demand for modified GTA games in Russia. "There's a competitive market, and people want to download the mods so they can beat their opponents," said Moyal. (Arbuz, for what's it's worth, is Russian for "watermelon," from which WaterMiner derives its name.)
The downloadable GTA mod was found hosted as an RAR archive file on Russian cloud service Yandex.Disk. This archive contained a downloader file called “pawncc.exe," which triggers an infection chain that ultimately downloads WaterMiner to a temp folder and executes the payload, Minerva explains in its research. Further examination of this downloaded led researchers to a Pastebin site feature an earlier version that included author comments detailing the mining functionality.
Once activated, the WaterMiner uses TCP port 45560 to communicate with a mining pool that combines the infected system's computational resources with those from other miners, distributing out Monero rewards accordingly.
Minerva researchers noted that Martin Opc0d3r has apparently tried to infect users of his modified games with various versions of malware programs, including a different miner called NiceHash. The researchers also believe that Opc0d3r may go by the name Anton, after observing that one of his mods was being offered on the Russian social network VK by an individual with that name.
