Cryptomining malware steals Fortnite gamers' Bitcoins and personal data

News by Rene Millman

Malware concealed as "cheat tools" for popular video game - experts warn of knock-on dangers to corporate networks.

Security researchers have discovered malware that steals the Bitcoins and personal data of gamers of the wildly popular video game Fortnite, while experts warn of the collateral damage this could have on corporate networks.

Researchers at Malwarebytes discovered this particular strain of malware after trawling through YouTube videos offering "free" Android versions of Fortnite. A number of videos discovered promoted "free passes" and cheats. These videos have been watched hundreds of thousands of times. Scammers add links in the  descriptions of YouTube videos that lead to sites offering cheats.

Players of the game often look to bypass a paywall in the game and often search for web content on how to hack Fortnite to get past the paywall.

The videos direct victims to click on a link to a survey that needs to be completed to access the cheat mode. The video prompted potential victims to go to a page called  "Sub2Unlock", which asked users to subscribe to a page, and ultimately took them to another website, "bt-fortnite-cheats(dot)tk".

However, instead of giving away a free version of the game or currency to use in game, the survey installs malware on a target computer. Malwarebytes detected this file as Trojan.Malpack, a generic detection given to files packed suspiciously.

Malwarebytes researcher Chris Boyd said that once the initial executable runs, it performs some basic enumeration on details specific to the infected computer. It then attempts to send data via a POST command to an /index.php file in Russia.

"Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets and also Steam sessions," he said.

Boyd added that lots of the files contained in this download are packed in entirely different ways. One of them has a process called "Stealer.exe."

"Many more post the stolen information to /gate.php instead of index.php, which is a common sign of Zbot and a few others," he said.

"While this particular file probably isn’t that new, it’s still going to do a fair bit of damage to anyone that runs it. Combining it with the current fever for new Fortnite content is a recipe for stolen data and a lot of cleanup required afterward," Boyd said.

There is also a readme file accompanying the stealer which advertises being able to purchase additional Fortnite cheats for "$80 Bitcoin."

"Given how things up above panned out, we’d advise anyone tempted to cheat to steer well clear of this one. Winning is great, but it’s absolutely not worth risking a huge slice of personal information to get the job done," said Boyd.

Terry Ray, CTO at Imperva, told SC Media UK that malware most easily targets your internal users – employees, contractors, business partners etc. These users access websites and emails from work or go home and access systems or emails that infect their systems.

"Organisations should always be vigilant to the threat from infected hosts as these compromised systems, once inside the corporate network, often have significant access to corporate resources as a trusted user. This particular malware doesn’t appear, based on the information in the article, to present a direct threat to organisational systems. However, variants of malware appear frequently which could quickly alter the attack strategy, or the information being stolen," he said.

Lawrence Pingree, executive vice president of product management at SonicWall, told SC that as Fortnite continues to grow in popularity, it will become a greater vector for launching malware and ransomware, with malicious actors possibly even pivoting to kinetic ransomware-style attacks.

"With kinetic ransomware, victims are forced to complete an action to regain access to their encrypted devices, rather than pay a ransom in bitcoin. We saw this in April with the PUBG ransomware, which forced victims to play a game called PlayerUnknown’s Battleground for one hour to decrypt the device. While this instance was benign, the potential implications are far reaching and quite dark – just imagine kinetic ransomware expanding beyond individual users to companies or even government compelling people to act or pay a ransom," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews