Related Families: RedLine, Chaos, Monster, Electron Bot, AXLocker, RapperBot, ALPHV/BlackCat, Electron Bot
Verticals Targeted: Gaming
Executive Summary
This report is part of PolySwarm’s 2022 Recap series. This edition provides an overview of the 2022 gaming threat landscape.
Key Takeaways
- In 2022, there was a marked increase in cyberattacks targeting the gaming industry.
- Types of malware used to target gaming included backdoors, coin miners, trojans, and ransomware.
- Other attacks on gaming included account takeover, theft of in-game assets, cheating hacks, DDoS, and intellectual property theft.
In 2022, we noted a marked increase in cyberattacks targeting the gaming industry. Over 20 major games were targeted or used for influence in attacks in the past year, including Minecraft, Roblox, Need for Speed, Grand Theft Auto, Call of Duty, FIFA, The Sims, Far Cry, CS:GO, PUBG, Valorant, Resident Evil, Command & Conquer, Hitman, Total War, Cyberpunk 2077, Elden Ring, Final Fantasy, Halo, Legend of Zelda, League of Legends, Dota 2, Apex Legends, World of Warcraft, Gears of War, Tomb Raider, S.T.A.L.K.E.R., and Warhammer.
The increase in cyberattacks targeting gamers can partially be attributed to the increase in gaming activity due to the stay-at-home orders and social distancing dictated by COVID-19 lockdowns in 2020 and 2021. Individuals who started gaming or became more passionate about gaming during the lockdowns continue to enjoy gaming as a hobby and an escape from a world in turmoil. The number of casual gamers also increased, with many playing mobile or browser-based games out of sheer boredom during the lockdowns.
Targeting the gaming industry can be very profitable. According to PwC, the gaming industry was projected to earn over $235 billion USD in 2022. Additionally, gamers invest in a wide range of hardware, software, and in-game upgrades, including high-end processors, performance hacks and mods, overclocking utilities, game subscriptions, in-game currencies and microtransactions, and DLC. Hardcore gamers can spend thousands per year individually to keep a competitive edge.
Types of Attacks Targeting Gamers
Threat actors used a variety of malware and other cyberattacks to target gamers and the gaming industry in 2022. Some malware used include backdoors, coin miners, trojans, and ransomware. Other attacks on gaming included account takeover, theft of in-game assets, cheating hacks, DDoS, and intellectual property theft.
According to industry researchers, Minecraft was the most abused game title, with threat actors using it to lure players into installing malware. Minecraft-related activity accounted for almost a quarter of all malicious files spread using game brand abuse.
Backdoors
Malicious game clones on the Microsoft Store were discovered delivering Electron Bot, a backdoor that gives threat actors complete control of the victim machine, facilitating RCE and real-time interactions, social media profile takeover, SEO poisoning, and ad fraud.
Coin Miners
Threat actors used a phishing campaign to target MSI Afterburner to deliver a coinminer. MSI Afterburner is a high-performance graphics card software utility used by many gamers to improve performance. It gives users the ability to overclock, monitor, benchmark, and capture video. Threat actors used over 50 websites masquerading as the official MSI Afterburner site to deliver Monero (XMR) crypto miners and RedLine stealer to unsuspecting victims. These cryptominers, in turn, leverage the victim’s likely high-performance hardware to mine Monero. Far Cry is reportedly the most popular gaming title used to push miners.
Account Takeover
Threat actors used a novel browser in the browser phishing approach to steal Steam credentials. This attack involved creating fake browser windows within an active window, tricking victims into thinking the fake window was a legitimate sign-in page. Threat actors baited victims with direct messages on Steam, asking them to join tournament teams for League of Legends, Counter Strike, Dota 2, or PUBG. The links sent by the threat actors direct them to a phishing site that pretends to be an esports organization. The victims are then prompted to use their Steam credentials to link their account to the esports organization. The login form is a phishing page used to steal their credentials and capture their 2FA codes.
Other threat actors were observed using a phishing site claiming to generate in-game currency for Grand Theft Auto Online, using the fake site to steal the victim’s GTA Online account credentials. Using in-game currency or items as a phishing lure has proven to be a successful way to obtain a victim’s account credentials for multiple games that use microtransactions or have skins and other cosmetic items.
In another incident, threat actors compromised the support system for game publisher 2K, which owns Borderlands, Bioshock, Civilization, NBA 2k, and other games. The threat actors sent gamers an email regarding a 2K support ticket, even if the gamers had not opened a ticket. The response from the “support agent” included an attached file pretending to be a game launcher. The launcher was instead an executable used to install RedLine stealer on the victim’s machine. This version of RedLine targeted the typical browser cookies, passwords, and credit card information, as well as the victim’s Discord and Steam folders.
Stealing In-game Assets
In June, threat actors stole $2 million USD worth of in-game items from a CS:GO player’s backpack. The threat actors reportedly auctioned off the items, which included elusive and expensive Souvenir AWP Dragon Lore skins. The threat actors reportedly hacked the victim’s Steam account, thereby obtaining access to their CS:GO profile.
Cheating Hacks
Earlier this year, threat actors used YouTube videos to promote cheats for the game Valorant, which ended up dropping infostealers. In another incident, industry researchers discovered a trojan hidden within a legitimate scripting engine used for Roblox cheat codes.
DDoS
The gaming industry has been a prime target of DDoS attacks. For years, criminal and hacktivist threat actors have used DDoS to target game servers. For example, earlier this year, the servers for Blizzard, which owns World of Warcraft, Diablo, and Overwatch, were targeted multiple times. Each DDoS attack makes the games slow for some players and completely unplayable for others. One of our analysts was completely unable to log in to World of Warcraft for several hours due to a DDoS attack affecting login servers.
Threat actors have also used RapperBot, an IoT botnet, to target gaming with DDoS attacks. RapperBot, which is based on Mirai, was used in an October attack on game servers.
Intellectual Property Theft
Earlier this year, Rockstar Games was the victim of a network intrusion in which a threat actor stole early footage from the upcoming Grand Theft Auto VI game. Over 90 clips related to the game were stolen and then leaked on the GTAForums site. The leaks led to a 2.3% drop in stocks for Take-Two Interactive.
Ransomware & Extortion
In July, Bandai Namco, famous for Pac-Man, Tekken, and Dark Souls, was the victim of a ransomware attack by ALPHV (BlackCat). The threat actors also obtained unauthorized access to internal systems.
Minecraft alt lists on gaming forums were discovered dropping Chaos ransomware earlier this year, and NPM packages masquerading as Roblox libraries were also found delivering ransomware.
In another incident, threat actors compromised the employee account of a Roblox employee. The threat actors stole 4GB of data, including identification and spreadsheets with Roblox creator information and email addresses. Roblox stated the data was stolen as part of an extortion scam. Threat actors later leaked some of the data online.
Tracking Threats to the Gaming Industry With PolySwarm
PolySwarm tracked a variety of malware families targeting the gaming industry this year. Some of these families include:
- RedLine Stealer
- Chaos Ransomware
- Monster Ransomware
- RapperBot
- ALPHV/BlackCat Ransomware
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io for more information and IOCs of related samples in our data set.| Check out our blog | Subscribe to our reports
