On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor -- code designed to prevent reverse-engineering or analysis -- for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).
The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising -- adverts that lead to malicious websites or downloads -- as well as YouTube how-to videos focused on game modding that link to malicious content.
There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars -- only propelled further with the emergence of competitive e-sports -- and so some gamers will go so far as to purchase cheats to give them an edge.
Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.
The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend.
Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms.
The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants.
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.
"As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees," the researchers say. "Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job."