This New Computer Virus Is Disguising Itself As A Popular Video Game

Video games as a service is a popular model among game publishers. Why sell a game with a beginning, middle, and end when you can just keep producing content for the same game and keep audiences (and their wallets) hooked? It's one of the reasons old-school gaming consoles are making a comeback. But what if hackers tried the same tactic and, as a bonus, threw in a free Minecraft "skin" for their customers?

Recently, McAfee announced that it uncovered a new malware attack campaign dubbed "WeedHack." This virus, which first hit the internet in January this year, is no ordinary piece of malware but a "Malware-as-a-service" program that users can buy to infect potential victims. The virus itself acts like a standard remote access infostealer: Once a computer is infected, WeedHack can manipulate a target's screen and access their webcam and data, but things get truly sinister when you dive into how it spreads.

According to McAfee, WeedHack users generally lure victims with the promise of unofficial "Minecraft" mods and clients — the kind you find on file hosting sites. Many use videos of these mods and clients as bait, with download links as the hook, and anyone who downloads files from the provided sources becomes infected. Another popular method is "SEO poisoning," where WeedHack users host their own websites, claim they are the only legitimate source for their "client" or "mod," and spread the word on sites such as Discord and Reddit.

Since "Minecraft" remains popular to this day, many malicious actors like to disguise their viruses as the game. Recently, a cybersecurity group found over 200 fake apps designed to steal money from phone bills via an automated subscription engine, and some of the "apps" were disguised as "Minecraft." Meanwhile, WeedHack uses cryptocurrency to dig into victims' computers. No, seriously.

When a WeedHack payload is initially downloaded, it starts off as a JAR (short for Java Archive) file. This shouldn't tip off victims, since the official "Minecraft" client is written in Java. But once it runs, the malware relaunches as a new executable and decrypts a list of Ethereum server domains and Ethereum smart contract addresses. These servers host the main WeedHack payload and install it into compromised computers. Once the second wave of malware is installed, it decompresses its files and starts installing and running its own scripts. One of WeedHack's nastier tricks is that during this phase, it adds itself to antivirus exclusion lists so it can continue unmolested. Microsoft claims you no longer need third-party antivirus suites, but according to McAfee's tests, Windows Defender couldn't stop WeedHack.

As WeedHack continues to worm its way into a victim's system, it will collect as much information as it can from the host's computer, including connected Wi-Fi networks, browser cookies, and Discord tokens. Finally, WeedHack sets up remote access features that give hackers the keys to your virtual kingdom (i.e., your computer). Once fully embedded, WeedHack managers can spy on you through your webcam, steal your crypto wallet credentials, and set up scheduled tasks to keep your computer infected.

While McAfee is confident a single "threat actor" is behind the malicious code that makes up the WeedHack malware, the virus is particularly insidious because it isn't just a virus that infects users. WeedHack is also a veritable training program for would-be hackers.

According to McAfee's findings, the WeedHack virus is divided into two tiers. The first (free) tier includes WeedHack and its core infostealer capabilities, but users can pay for subscriptions (starting at $5 per month) that add features such as webcam access and keyloggers. Yes, a hacker actually took a page out of the freemium MMO playbook, but it gets worse.

According to McAfee's findings, an entire community has sprung up around WeedHack. The original coder provides tutorials on topics such as using WeedHack, selecting targets and optimizing attacks. Moreover, the original threat actor treats their customers as one would friends on a Discord server. The WeedHack community has a dedicated website, complete with a suggestion box where subscribers can request features, a leaderboard that encourages subscribers to rack up as many victims as possible, and a "Build" section where subscribers can craft custom WeedHack payloads and infect legitimate Minecraft mods. McAfee believes WeedHack owes its effectiveness and lethality to this emphasis on community, as it lowers the barrier of entry by teaching newcomers the ropes. That, and WeedHack uses "Minecraft" as a vector because its main audience consists of children who don't fully understand how to stay safe online.