Full Report
Users who are on the lookout for popular games were lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Windows hosts. The large-scale activity has been codenamed StaryDobry by Russian cybersecurity company Kaspersky, which first detected it on December 31, 2024. It lasted for a month. Targets of the campaign include individuals and
Analysis Summary
# Tool/Technique: StaryDobry Campaign (Cryptocurrency Miner Deployment)
## Overview
The StaryDobry campaign is a large-scale operation where threat actors distribute popular game installers (simulators, physics games) riddled with malware via torrent sites. The ultimate goal is to deploy the XMRig cryptocurrency miner onto compromised Windows hosts, particularly targeting powerful gaming machines capable of sustained mining activity. The campaign was observed by Kaspersky between December 31, 2024, and January 31, 2025.
## Technical Details
- Type: Malware Campaign (Dropper, Miner)
- Platform: Windows
- Capabilities: Initial access via trojanized installers, anti-analysis checks, persistence through system modifications, and cryptocurrency mining.
- First Seen: December 31, 2024
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Via trojanized installers on torrent sites)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Encrypted payloads)
- T1055 - Process Injection (Inferred via DLL loading/modification)
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Not explicitly stated, but high likelihood for persistence)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Polling IP information sites)
- TA0008 - Lateral Movement (Not explicitly detailed, focusing on local compromise)
- TA0004 - Privilege Escalation (Loading a Shell Extension Handler)
- TA0009 - Collection
- T1082 - System Information Discovery (Machine fingerprinting)
## Functionality
### Core Capabilities
- **Initial Infection:** Distribution via trojanized installers crafted using **Inno Setup** found on torrent sites.
- **Anti-Analysis:** The dropper (`unrar.dll`) performs checks to detect if it is running in a debugging or sandboxed environment.
- **Initial Payload Dropping:** Extracts a dropper component (`unrar.dll`) upon installation.
- **System Fingerprinting:** Gathers IP address information by polling sites like `api[.]myip[.]com`, `ip-api[.]com`, and `ipwho[.]is`. Defaults location to China or Belarus if location gathering fails.
- **Next-Stage Deployment:** Decrypts and writes an executable (`MTX64.exe`) masquerading as `Windows.Graphics.ThumbnailHandler.dll` in `%SystemRoot%` or `%SystemRoot%\Sysnative`.
### Advanced Features
- **Legitimate Tool Modification:** `MTX64.exe` modifies functionality based on a legitimate open-source project, **EpubShellExtThumbnailHandler**, to achieve persistence/execution via Windows Shell Extension Thumbnail Handler modifications.
- **Payload Staging:** Loads a portable executable named **Kickstarter**, which unpacks an encrypted blob, writing it to disk as `Unix.Directory.IconHandler.dll` in dynamic locations (`%appdata%\Roaming\Microsoft\Credentials\%InstallDate%\`).
- **Final Stage Delivery:** The staged DLL retrieves the final-stage binary (the miner) from a remote server.
- **Process Hollowing/Termination:** The final payload continuously monitors for key forensic tools (`taskmgr.exe` and `procmon.exe`) and terminates execution if they are detected.
- **Cryptocurrency Mining:** Deploys a slightly modified version of the **XMRig** cryptocurrency miner, configuring it with a predefined command line to mine using the host CPU.
## Indicators of Compromise
- File Hashes: *Not provided in the context.*
- File Names:
- Dropper: `unrar.dll`
- Decrypted Executable: `MTX64.exe`
- Dropped DLL 1 (Shell Extension): `Windows.Graphics.ThumbnailHandler.dll` (Located in %SystemRoot% or %SystemRoot%\Sysnative)
- Dropped DLL 2 (Staged Payload): `Unix.Directory.IconHandler.dll`
- Staging Folder: `%appdata%\Roaming\Microsoft\Credentials\%InstallDate%\`
- Registry Keys: *Not explicitly detailed, but persistence mechanisms suggest registry modifications.*
- Network Indicators:
- C2/Information Retrieval: `api[.]myip[.]com`, `ip-api[.]com`, `ipwho[.]is`
- Final Miner C2: Remote server (Implied)
- Behavioral Indicators:
- Installation initiated via game installers (BeamNG.drive, Garry's Mod, etc.) from torrent sites.
- File execution involving manipulation of Windows Shell Extension Thumbnail Handlers.
- Termination upon detection of Task Manager (`taskmgr.exe`) or Process Monitor (`procmon.exe`).
## Associated Threat Actors
- Unidentified threat actors. The campaign is named **StaryDobry** by Kaspersky.
## Detection Methods
- Signature-based detection: For known DLL hashes or the XMRig binary configuration.
- Behavioral detection: Monitoring for Inno Setup installers executing DLLs via non-standard means, file creation in unusual system/appdata paths, modifications to Shell Extension handlers, and termination triggered by the presence of forensic tools.
- YARA rules: *Not provided in the context.*
## Mitigation Strategies
- **Source Verification:** Exercise extreme caution when downloading "repacks" or cracked/free versions of popular software from torrent sites.
- **Application Control:** Restrict the execution of binaries from custom locations within system directories or user profile folders.
- **Host Monitoring:** Implement active monitoring for legitimate Windows processes being leveraged for malicious purposes (e.g., DLL loading/hijacking targeting Shell Extensions).
- **Endpoint Protection:** Ensure robust EDR solutions are in place to detect anti-analysis behaviors and known miner signatures (XMRig modifications).
## Related Tools/Techniques
- **XMRig:** The specific cryptocurrency miner leveraged.
- **Inno Setup:** The installer creation tool used to package the trojanized application.
- **EpubShellExtThumbnailHandler:** The legitimate open-source project whose functionality was modified/abused.