Hackers have created a fake ‘Cthulhu World’ game-to-win community, including websites, Discord groups, social accounts, and a midsize developer site, to distribute Raccoon Stealer password-stealing malware infections, AsyncRAT and RedLine on unsuspecting victims.
As play-to-win games grow in popularity, scammers and threat actors are increasingly targeting these new platforms for malicious activity.
Such is the case with a new malware distribution campaign uncovered by cybersecurity researcher iamdeadlyz, where threat actors created an entire project to promote a fake game called Cthulhu World.
To promote the “project,” threat actors are direct messaging users on Twitter asking if they’d like to test their new game. In exchange for testing and promoting the game, iamdeadlyz says that threat actors promise a reward in Ethereum.
Source: iamdeadlyz
Visiting the now-defunct cthulhu-world.com site, users are greeted with a well-designed website containing information about the project and an interactive map of the game’s environments.
However, this site appears to be a clone of the legitimate Alchemical World Projectwhich has been warn users stay away from fake project.
The Cthulhu World website also has a big difference; when a user clicks the arrow in the top right corner of the site, the visitor will be taken to a web page that will ask for a code to download the “alpha” test of the project.
Threat actors share these codes with potential victims as part of their DM conversations on Twitter. A list of the access codes is also found in the source code of the site, as shown below.
Source: BleepingComputer
Depending on the code entered, one of three files will be downloaded from DropBox.
Source: BleepingComputer
Each of the three files installs different malware, likely allowing threat actors to choose how they want to attack a particular user. The three malware identified by AnyRun installations are AsyncRAT, RedLine Stealer, and Raccoon Stealer.
6/
IOC#RaccoonStealer
436d6f0beaa8cc02b1a3227bcb7d5373
C&C: 213.252.244[.]230:80https://t.co/mT3DKguO92#AsyncRAT
0ae0184bc3d03a4981ec2baab0649434
C&C: 193.124.22[.]17:4449https://t.co/83h8q6ACLE#RedLineThiefhttps://t.co/ElWxX9Xavf
C&C: 77.73.134[.]5:30812— iamdeadlyz.pcc.eth | YGG (@Iamdeadlyz) August 25, 2022
The Cthulhu World website is currently down, but their Discord remains active. It’s unclear who on this Discord knows the site is distributing malware, but some users clearly believe it’s a legitimate project.
As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to discover that some victims have already cleaned out their wallets with this scam.
If you visited Cthulhu-world.com and downloaded any of their programs, you should immediately run an antivirus scan on your computer and remove anything detected.
Also, as these malware infections steal your saved passwords, cookies and crypto wallets, you need to reset all passwords and create new wallets to import your cryptocurrency.
Ultimately though, the smartest course of action is to reinstall your computer from scratch, as these malware infections give full access to an infected computer and other undetected malware can still be installed.
