Users seeking popular games were tricked into downloading trojanized installers, leading to the deployment of a cryptocurrency miner on compromised Windows systems.
Russian cybersecurity company Kaspersky has dubbed this large-scale activity StaryDobry, which it first detected on December 31, 2024, and lasted for a month.
The campaign targeted individuals and businesses worldwide, with higher infection rates found in Russia, Brazil, Germany, Belarus, and Kazakhstan, according to Kaspersky’s telemetry.
Researchers Tatyana Shishkova and Kirill Korchemny explained that this approach allowed threat actors to maximize the miner’s potential by targeting powerful gaming machines capable of sustaining mining activity.
The XMRig cryptocurrency miner campaign uses popular simulator and physics games, such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy, as lures to initiate a sophisticated attack chain.
This involves uploading poisoned game installers crafted using Inno Setup to various torrent sites in September 2024, indicating careful planning by the unidentified threat actors behind the campaign.
Users who download these releases, also known as “repacks,” are presented with an installer screen that prompts them to proceed with the setup process, during which a dropper (“unrar.dll”) is extracted and executed.
The DLL file continues execution only after running a series of checks to determine if it’s running in a debugging or sandboxed environment, demonstrating its highly evasive behavior.
It then polls various sites, such as api.myip [.]com, ip-api [.]com, and ipwho [.]is, to obtain the user’s IP address and estimate their location. If this step fails, the country defaults to China or Belarus for unknown reasons.
The next phase involves gathering a machine fingerprint, decrypting another executable (“MTX64.exe”), and writing its contents to a file on disk named “Windows.Graphics.ThumbnailHandler.dll” in either the %SystemRoot% or %SystemRoot%Sysnative folder.
Based on a legitimate open-source project called EpubShellExtThumbnailHandler, MTX64 modifies the Windows Shell Extension Thumbnail Handler functionality for its own gain by loading a next-stage payload, a portable executable named Kickstarter that unpacks an encrypted blob embedded within it.
The blob is written to disk under the name “Unix.Directory.IconHandler.dll” in the folder %appdataRoamingMicrosoftCredentials%InstallDate%.
The newly created DLL retrieves the final-stage binary from a remote server responsible for running the miner implant, while continuously checking for taskmgr.exe and procmon.exe in the list of running processes. The artifact is terminated if any of these processes are detected.
The miner is a modified version of XMRig that uses a predefined command line to initiate the mining process on machines with CPUs that have 8 or more cores.
“If there are fewer than 8, the miner does not start,” the researchers said. “Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.”
XMRig parses the constructed command line using its built-in functionality and creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage.
StaryDobry remains unattributed due to the lack of indicators tying it to known crimeware actors. However, the presence of Russian language strings in the samples suggests the possibility of a Russian-speaking threat actor.
