Call of Duty cheats turned out to be RAT malware and dropper, threat actor posted in a hacking forum

Continue reading
Call of Duty: Warzone cheat programs were disguised by remote-access trojan (RAT) malware, according to a warning issued by Activision. Threat actors are targeting popular cheating sites to circulate the masqueraded cheats across the users. While this "newbie-friendly" strategy that explicitly shows how to circulate this malware through convincing it to be a video game cheat to the users of Call of Duty: Warzone was posted in a hacking forum back in March for the first time, as per the Activision warning.
*“It is common practice when configuring a cheat program to run it with the highest system privileges, ”* Activision reported.
*“Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code-signing, etc.”*
Now for those who are not familiar with the team, 'cheats' are a program that creates interference with the in-game activities or players' interactions that leads to additional advantages that may seem to be unfair to their opponents. However, they are often banned from being utilized by the official creators of the game.

“COD-Dropper v0.1.” is the name of the malware that the researchers eventually identified.
*“Instead of malicious actors putting in hours of work creating complicated mitigation bypasses or leveraging existing exploits – they can instead work to create convincing cheat advertisements, which is priced competitively, could potentially get some attention,"* Activision’s report added.
*“In December 2020, the dropper was also included in a ‘black hat’ tutorial aimed at ‘noobies’ looking to make some easy money.”*
Moreover, the Activision report also pinpoints that cheat forums filter out any malicious activities, which means the threat actors might have maintained a low profile to keep from getting booted.
*“This advertisement did not appear to be particularly clever or take much effort, but still had people replying, asking if anyone had tried it before being removed a day later, ”* the report said.
Additionally, the threat actor behind injecting this malware posted the entire malware file to set up the attack, which gained over 10,000 views and 260 replies. Besides, it was later followed up by further instruction in the post's comment along with a video tutorial link that redirects to a YouTube video that has over 5,000 views.
*“In likely a further attempt to scam people, the description also offered a private version of the cheat for a $10 BTC payment, ”* the report added.

Here these comments indicate that the members of the hacking forum did try out and download the tool.
Following YouTube video pushing, the same malware showed up last August, with a direct link to infect the user, which had received 376 views, Activision added.
Activision also illustrated that manipulating the game players into downloading the software wasn't a heavy lift.
*“While this method is rather simplistic, it is ultimately a social-engineering technique that leverages the willingness of its target (players that want to cheat) to voluntarily lower their security protections and ignore warnings about running potentially malicious software, ”* Activision added.
While it is a RAT that allows the threat actors to gain full access to the victim's device but it is also a dropper that can be customizable in installing other malicious code on the victim's device, as the observed dropper in this attack is a .NET app that implores the target to agree in allowing the bug admin privilege post successful downloading.
*“Once the payload has been saved to disk, the application creates a VBScript named ‘CheatEngine.VBS,'”* according to the report.
*“It then starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable. The creator/generator is a .NET executable that contains the dropper .NET executable as a resource object.”*
If the victim clicks on “:: Build::, the application inspects the ‘COD_bin’ object with the ‘dnlib’ .NET assembly library, it replaces the URL placeholder named ‘[[URL]]’ with the provided URL and saves the ‘COD_bin’ resource under a new filename, ” according to the analysis.
“The video gaming industry is a popular target for various threat actors, ” Activision said. *“Players, as well as studios and publishers themselves, are at risk for both opportunistic and targeted cyberattacks – tactics range from leveraging fake APKs of popular mobile games to compromising accounts for resale. Even [advanced persistent threat] actors have been known to target the video-gaming industry.”*
The Call of Duty: Warzone incident surfaced on the same day that the Talos security team of Cisco published a new malware campaign targeting gamers who use cheats.
These malicious cheats were previously utilized by unknown cryptor tools that deterred antivirus programs from detecting the payload. Talos didn’t identify the game titles that were targeted.