How was MonsterInstall Trojan Discovered?
The malware was discovered by Yandex which subsequently sent it over to Doctor Web’s research team for further analysis together with additional info on how the Trojan sample was distributed. The researchers were able to find that the Trojan — dubbed MonsterInstall — uses Node.js to execute itself on the victims’ machines.
How Does MonsterInstall Trojan Work?
MonsterInstall trojan will gain persistence by adding itself to the infected system’s autorun, in order to get automatically launched after the machine is rebooted.The downloader trojan also downloads the crypto mining module ‘xmrig.dll’ onto the infected system.
- When users download the game cheat, they end up downloading a password-protected zip archive that contains an executable file.
- Once launched, the executable file downloads the game cheat along with the MonsterInstall trojan components.
- Once the trojan gets launched, it will gain persistence by adding itself to the infected system’s autorun, in order to get automatically launched after the machine is rebooted.
- MonsterInstall then starts gathering system info and sends it to the C&C server controlled by the attacker.
- The downloader trojan then downloads the crypto mining module ‘xmrig.dll’ onto the infected system.
The Cryptomining Module -TurtleCoin
The cryptomining module loads the malicious executable ‘xmrig.exe’. The executable sends system information to its C&C server and gets back the miner configuration in the form of a JSON file.
Once the miner configuration file is loaded, it will automatically execute and start mining the TurtleCoin cryptocurrency.
“Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month,” Doctor Web researchers said.
This is not the first time gamers have been targeted by cybercriminals and it will most definitely not be the last. For instance, back in 2016, security researchers discovered a flurry of fake and booby-trapped money adders and cheat tools which would actually steal the gamers’ credentials.