they found another backdoor.

Low Level

10 Nov 202415:26

Summary

TLDRIn this video, the host discusses the dangers of downloading game mods from untrusted sources, using a recent security breach in the *City Skylines* community as an example. A popular traffic mod was compromised with malware hidden in a DLL file, *fastmath.dll*, which used advanced techniques like custom hashing and PEB walking to evade antivirus detection. The malware targeted crypto wallets and other sensitive data. The video serves as a cautionary tale, emphasizing the importance of being cautious when downloading mods and code, and highlighting the sophisticated methods cybercriminals use to bypass security systems.

Takeaways

😀 Be cautious when downloading game mods from third-party sources as they can contain malicious code.
🛑 Malicious mods can appear harmless at first but may contain hidden malware, as seen in the *City Skylines* traffic mod incident.
🔍 Malware can be embedded inside DLL files, which are used to modify game behavior, making them a potential security risk.
⚠️ Even popular mods with large user bases can be compromised, affecting hundreds of thousands of players.
💻 The malware in this case used a DLL file called 'Fast Math' which lacked exported functions, a suspicious sign of malicious intent.
🔐 Malware authors can hide their payloads using complex techniques like XOR encryption, making it difficult for antivirus software to detect the threat.
🔎 Reverse engineering tools like Ghidra are essential for identifying how malware operates and evading detection methods.
🧠 Malware often employs sophisticated obfuscation strategies, such as loading payloads in stages, to avoid being picked up by antivirus programs.
🛡️ Standard antivirus software may not recognize malware if it avoids signature-based detection, opting instead for behavior-based analysis.
💡 Understanding how executable files and DLLs work is key to recognizing and defending against malware in game mods and other software.
⚡ The malware in this case targeted cryptocurrency wallets, demonstrating how game-related malware can be repurposed for stealing sensitive data.

Q & A

What is the main security risk associated with downloading game mods?
-The main security risk is that mods are essentially just code, which can contain malicious elements such as malware. If the mod's author is untrustworthy, the code could potentially harm the system by stealing data, such as cryptocurrency wallet information, or bypassing antivirus detection.
What is the specific mod that was compromised in this incident?
-The specific mod that was compromised is the 'Traffic' mod for *City Skylines*. This mod, which is used to customize traffic flow in the game, was injected with malware.
How did the malware in the 'Traffic' mod evade antivirus detection?
-The malware evaded antivirus detection by not having exported functions in its DLL file, which is unusual for a normal mod. Additionally, the payload was XOR-encoded, and the malware used a custom hashing function to hide its operations.
What technique did the malware use to distribute its second-stage payload?
-The malware used a technique involving manually loading bytes into memory and XOR-decrypting them, which allowed it to write the second-stage payload to disk without being detected by traditional antivirus software.
What does the 'Process Environment Block' (PEB) do in malware analysis?
-The Process Environment Block (PEB) is a region in memory that contains critical information about a running process, including a list of the DLLs that are loaded. Malware often uses the PEB to find and manipulate specific functions within the loaded modules, which can help it evade detection.
Why did the malware authors choose to hash DLL names instead of using regular string signatures?
-By hashing DLL names, the malware authors were able to obscure the actual names of the DLLs being used, preventing antivirus engines from detecting their signatures. This technique makes it harder for signature-based detection systems to identify the malicious behavior.
What is the 'Fast Math DLL' and what role did it play in this attack?
-The 'Fast Math DLL' was a malicious DLL file that was bundled with the compromised 'Traffic' mod. Its role was to serve as the initial payload, which loaded and decrypted a second-stage payload, leading to further malicious actions such as stealing cryptocurrency wallet information.
How did the community contribute to the discovery of the malware?
-The community, especially members of the r/CitySkylines, r/Antivirus, and r/Exodus Reddit forums, worked together to analyze the malware. They identified key functions used by the malware and shared their findings, which led to the discovery of how it evaded antivirus detection.
What is the primary function of a DLL file in video game mods?
-A DLL (Dynamic Link Library) file is a type of file that contains code that can be loaded and executed by a program, in this case, a video game. In mods, DLL files are often used to modify the game's behavior without altering the core game code.
What should players do to protect themselves when downloading mods?
-Players should be cautious and only download mods from trusted sources. It is important to understand that mods are just code and could potentially contain malware. If in doubt, it’s safer to avoid mods or limit trust to official sources or reputable modding communities.