June 19, 2019

Researchers at Doctor Web’s virus laboratory have studied a new type of downloader trojan. The malware is written in JavaScript and uses Node.js to launch itself within a system. The malicious software is distributed through websites with cheats for popular video games and received the name Trojan.MonsterInstall.

Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.

When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.

Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.

Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.

Websites owned by the malware developers:

• румайнкрафт[.]рф;
• clearcheats[.]ru;
• mmotalks[.]com;
• minecraft-chiter[.]ru;
• torrent-igri[.]com;
• worldcodes[.]ru;
• cheatfiles[.]ru.

Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.

Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.

We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.

More about this Trojan

Indicators of compromise

#JavaScript #games #mining