Full Report
A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program. [...]
Analysis Summary
# Tool/Technique: StaryDobry Infection Chain
## Overview
The StaryDobry campaign is a sophisticated, multi-stage infection chain primarily distributing a cryptominer (a modified XMRig) to unsuspecting gamers. Attackers distribute trojanized installers of popular games, such as Cracked Garry’s Mod and BeamNG.drive, via torrent sites. The ultimate goal is to compromise powerful gaming machines to run Monero mining operations for the threat actors.
## Technical Details
- Type: Malware Campaign / Dropper / Loader / Cryptominer
- Platform: Windows
- Capabilities: Evasion (anti-VM/sandbox/debugger), Persistence via registry and scheduled tasks, Cryptomining (Monero).
- First Seen: Information not explicitly stated, but recent context provided by Kaspersky analysis.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Implied via compromised software distribution)
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- T1053.005 - Scheduled Task
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Unpacking/Decrypting components)
- T1497 - Virtualization/Sandbox Evasion
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S implied by C2 use)
- TA0018 - Collection
- T1082 - System Information Discovery (OS version, CPU, RAM, GPU)
## Functionality
### Core Capabilities
- **Initial Delivery:** Utilizing torrent sites to spread trojanized game installers containing the initial malicious payload.
- **Dropper Execution:** Unpacking and launching a malware dropper (`unrar.dll`).
- **System Information Gathering:** Collecting detailed hardware and environment information (OS, CPU, RAM, GPU).
### Advanced Features
- **Evasion:** Performing rigorous checks for the presence of Virtual Machines, sandboxes, or debuggers, terminating execution if detected. It also shuts down the miner if security monitoring tools are detected post-infection.
- **Persistence Mechanism:** Uses `regsvr32.exe` to register persistence mechanisms and creates a Scheduled Task.
- **Loading:** Deploys a second-stage loader (`MTX64.exe`) disguised as a legitimate Windows system file using resource spoofing.
- **Cryptomining:** Downloads and executes a modified XMRig miner contingent on the host having at least eight CPU cores.
- **C2 Obfuscation:** The XMRig miner connects to private mining servers rather than public pools, making revenue tracing significantly more difficult.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `unrar.dll` (Dropper), `MTX64.exe` (Loader)
- Registry Keys: Registration via `regsvr32.exe` (Specific keys not detailed, implies use of autorun locations).
- Network Indicators: C2 server: `pinokino[.]fun`
- Behavioral Indicators: Execution following installation of cracked games on torrent sites; termination upon detection of security tools; use of `regsvr32.exe` for persistence; CPU utilization spikes due to Monero mining targeting high-core systems (>= 8 cores).
## Associated Threat Actors
- Unknown, but attributed to a Russian-speaking actor. The campaign is described as a "one-shot campaign" by Kaspersky analysis.
## Detection Methods
- Signature-based detection: Signatures for known hashes of `unrar.dll` and `MTX64.exe`.
- Behavioral detection: Monitoring for suspicious execution paths triggered by game installers, registration via `regsvr32.exe` tied to unexpected executables, and heavy, sustained CPU load by unknown processes attempting Monero mining.
- YARA rules: Rules targeting the unique configuration method of the modified XMRig binary.
## Mitigation Strategies
- Prevention: Avoid downloading and executing cracked or pirated software/games from untrusted sources like torrent sites.
- Hardening recommendations: Implement application control (whitelisting) to restrict execution paths. Ensure real-time security monitoring is active and configured to aggressively detect VM/sandbox introspection attempts and resource exhaustion.
## Related Tools/Techniques
- XMRig: The specific cryptomining software utilized, albeit heavily modified.
- Obfuscated Loaders: Techniques used by `MTX64.exe` resembling legitimate system files for resource spoofing.