Cybersecurity researchers detect signs of infection showing that the 'Windows based RenEngine loader malware' has infected about 30,000 individuals in the US alone.
There is a new type of Windows based malware, which is being transmitted through pirated copies of various video games, potentially affecting over 400,000 computers.
Researchers at cybersecurity firm Cyderes are raising awareness about the potential issue, which so far has been spreading through cracked versions of video games such as Far Cry, Need for Speed, FIFA, and Assassin's Creed.
The malware has been found to be called “RenEngine loader” as some of the malware code is found to be included in legitimate code in a genuine ‘Ren'Py’ launcher, which is used to play games of the visual novel genre. “While these cracked games appear to be fully functional, they remain stealthy agents serving up the malware with the playable content.”
The malware has been around at least as long as last April, and it is still active. They also found evidence of the threat, which has already infected over 400,000 victims worldwide, as the malware has been stepped up to involve the inclusion of telemetry tracking information as of last October. “The telemetry URL is embedded in the malware and can be reached whenever the malicious RenEngine loader executes.”
According to the telemetry tracker, it is seen that the malware is generally recording 4,000 to 10,000 visitors on a daily basis, and most victims have been observed from India, the US, and Brazil, as noted in the company’s report.
RenEngine Loader top 10 countries of users reached
| Country | Users |
|---|---|
| India | 38,016 |
| United States | 31,317 |
| Brazil | 25,220 |
| Russian | 22,366 |
| Egypt | 19,500 |
| Turkey | 18,835 |
| Spain | 18,109 |
| Indonesia | 15,790 |
| Pakistan | 15,426 |
| France | 14,100 |
Cyderes points to one site, “dodi-repacks[.]site,” for hosting the malware laden game downloads. The domain has been previously flagged in other malware campaigns.
The attack also leverages the Ren’Py launcher to archive the pirated game files. Executing the launcher decompresses the game files while secretly kicking off the malware’s installation. Cyderes spotted the RenEngine loader, ultimately trying to deliver a Windows based information stealer called ARC to harvest sensitive data from victim PCs, including “saved browser passwords, cookies, cryptocurrency wallets, and autofill information, along with system details and clipboard contents.”
“In other similar scenarios, we also observed different payloads like Rhadamanthys Stealer, Async RAT, and XWorm delivered via RenEngine Loader,” which can also be used to steal passwords, or can let the hacker hijack the PC from anywhere, warned Cyderes.
As can be seen, except for Avast, AVG, and Cynet, all other antivirus engines currently do not appear to detect the first stage of the malware. This is according to Google's malware check detection site VirusTotal. For users affected by this malware, a nuclear option would be to use or reinstall Windows' System Restore.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
