Counter-Strike: Global Offensive (CS:GO) players looking to get a leg up on the competition by using the vHook cheating app for macOS were also infected with a cryptocurrency miner.
This is not the first time when a CS:GO cheating tool was used as a disguise for malware. Back in December 2016, another CS:GO cheat was used to deploy malware that rewrote a player's hard-drive MBR section, rendering his computer unable to boot.
Miner spread via vlone.cc website
This time around, security researchers from SentinelOne came across a cheating tool that when installed on macOS devices would also install a Monero miner detected under the name of OSX.Pwnet.A.
The tool is advertised via YouTube videos [1, 2, 3] and the vlone.cc website, and is named vHook. It is based on the original vHook (Barbossa) CS:GO cheating app developed a few years back but improved and adapted to work on macOS.
The macOS version was modified by a GitHub user by the name of fetusfinn. The OSX.Pwnet.A miner also includes various debugger symbols referencing a user name Finn, most likely the malware's author.
Malware mines Monero into two MinerGate accounts
Users that registered on the vlone.cc website and downloaded the free or paid version of vHook were infected with OSX.Pwnet.A.
The infection process wasn't automatic and straightforward, as users needed to enter their root user password before installing the app. Taking into account that this was a cheat tool that users purposely sought and downloaded/paid, most users would have provided the root password without batting an eye.
SentinelOne security researcher Arnaud Abbati says the Monero miner uses the user's resources to mine funds for two email addresses registered with the MinerGate service.
In fact, OSX.Pwnet.A is a modified version of the minergate-cli package written in for the Qt framework. One of the email addresses Finn used to collect Monero funds was also found in another macOS malware sample.
Joao trojan targets Aeris gamers
This is not the first malware hidden in gaming-related files discovered this week. Yesterday, ESET security researcher Tomáš Gardoň found the Joao trojan hidden in illegal copies of Aeria games, spread via unofficial websites. The trojan has backdoor, spying, and DDoS capabilities.
A technical report on Joao is available here. The technical report for OSX.Pwnet.A is available here.
Comments
MinerGate - 6 years ago
Hello! As an official MinerGate representative, I find it important to state that we don't tolerate such activity on our service.
All our software is meant only for open use on personal devices or with knowledge and consent of the other party if ran on this party's hardware. We stand against scammers and botnet owners and we are determined to take immediate measures regarding the situation described in the article.
MinerGate apologizes to anybody who could have been harmed by the fraudulent activity of these accounts' owners.
brofist7765 - 6 years ago
uhhhhhh do you guys know how to remove it fro my computer of if the process is still running if i deleted the files.