With more people using their personal devices for work during the COVID-19 pandemic, threats that would typically only affect consumers are now posing unforeseen risks to enterprise networks, too, including a new malware campaign targeting video game enthusiasts, researchers warn.
New research from Cisco Talos shed light on an ongoing campaign that uses game-modding tools as a disguise to infect victims with malware, such as information stealers. Though the targets of the campaign are gamers, researchers say it poses a “serious threat to enterprise networks” as companies continue to grapple with securing their remote workforces.
“The biggest threat here is that people’s (personal) systems are getting infected, and then they are using corporate networks on those same machines,” Holger Unterbrink, threat researcher with Cisco Talos, said. “With COVID-19 and work-from-home (workforces), the chances of this type of attack affecting companies has definitely increased.”
While the majority of workforces have been remote for more than a year now, companies continue to struggle with securing their infrastructure in a work-from-home environment. Recent research from Lynx Software found that 76 percent of 1,000 U.S. employees surveyed were using a personal device for work “at least sometimes.” Less than half (49 percent) of respondents said their organizations had strengthened their cybersecurity measures since the start of the pandemic.
With this particular malware attack, researchers worry that employees may be downloading tools used to alter video games from suspicious sources, on the same personal machine they use for their jobs. The attack starts with advertisements or "How To" videos on YouTube or other social media channels, which promise game-modding tools for video games like first-person shooter game CrossFire, for instance.
These channels point victims to seemingly legitimate files, which purport to allow users to install cheat codes into video games or make other game modifications. The concept of using such cheats inside games is already considered a “gray area” by official video games, making it easier for cybercriminals to convince users to download software from potentially shady environments, said Unterbrink.
“It’s a form of social engineering… the motivation is high to accept the risk,” said Unterbrink. “People know they’re doing something that’s not 100 percent correct, so they can only get these cheats from questionable sources.”
However, once downloaded, the files actually deploy a complex Visual Basic-based cryptor, which is designed to obfuscate malware code so it can’t be easily detected using signature-based scanners. In this case, the cryptor uses several obfuscation tactics that make it difficult to detect the final payload, including injecting its code into a new process to hide the payload from simple anti-malware tools. And, it could pose a challenge for security analysts who aren’t familiar with Visual Basic 6, researchers said.
“(Employees) are now not risking just their private PC, now they are sharing these resources with their company."
The final executed payload is XtremeRAT, an information stealer that has been around since at least 2010. The RAT has various malicious functionalities, including allowing attackers to download files, capture images of the desktop and record devices’ webcams or microphones.
With attackers armed with these capabilities, it’s game over should a device that’s also being used for corporate functions be infected, said Unterbrink.
“With this attack, (cybercriminals) are getting full control of the victims’ laptop,” said Unterbrink. “They can access all resources the employee has access to and misuse their accounts.”
A successful cyberattack would give cybercriminals access to email services if they are utilized on the personal device. This could not only expose sensitive corporate information, but allow for subsequent phishing attacks that leverage victims’ legitimate corporate email accounts, making them seem more trustworthy.
Beyond campaigns that leverage video game mods, other types of threats - typically targeted at consumers - are now posing a threat to enterprises due to remote work. For instance, attackers have been leveraging COVID-19 lures to draw in victims with promises of vaccines.
“(Employees) are now not risking just their private PC, now they are sharing these resources with their company,” said Unterbrink. “They need to be more responsible.”
With the threat of employees utilizing their personal devices during remote work, companies should ensure their workers’ devices are armed with antivirus and two-factor authentication protections. Proper employee education is also in order, including making sure that end users only download software from trusted sources, said Unterbrink.
Cisco Talos researchers said it's also critical for companies to have a multi-layered security architecture in place that can detect abnormal behavior.
“It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them,” according to researchers with Cisco Talos. “These campaigns and the refinement of the TTPs being used will likely continue for the foreseeable future.”