Grand Theft Auto 5
A Russian hacker has implanted a stealth cryptominer in gaming mods, including one for GTA Rockstar Games

Security researchers have uncovered a new evasive cryptominer dubbed "WaterMiner" hidden in modified video games, including a Grand Theft Auto (GTA) mod, available for download on a Russian-speaking forum. Researchers at Minerva Labs said the malicious malware is an altered version of a legitimate open-source miner called XMRig.

The evasive Monero mining malware is embedded within gaming mods, including one that claimed to "enhance" GTA, and is designed to hijack a victim's CPU and abuse the computer's processing power to covertly mine digital currencies. It is also designed to evade any endpoint monitoring tools and does not show up when a person opens Windows Task Manager or other similar apps to examine which programs are slowing down their machines.

"If the miner detects any of the above apps, the mining operation would halt, making it less likely that the victim will detect the presence of the malicious program," researchers said.

Minerva said the threat actor behind the WaterMiner campaign goes by the alias "Martin 0pc0d3r" and has "some history in developing other forms of questionable or malicious software, such as auto-aiming bots and mods for computer games".

"It seems that lately he realised it's possible to earn money from his popular mods by infecting his 'clients' with multiple types of malware, including cryptominers," researchers added.

The malicious GTA mod was distributed under the name "Arbuz", which means "watermelon" in Russian, and was designed to exploit the heavy interest and demand for modified GTA games in the country.

"The mod, bundled with the miner's downloader, was hosted at Yandex.Disk, the Russian equivalent of Google Drive or Dropbox, as a RAR archive," researchers explained, noting that the file does offer the claimed mod functionality. However, the RAR file also includes dozens of other files, including one called "pawncc.exe", which is actually the bridgehead to download the cryptominer once the mod is executed.

Once executed, the file launches a series of commands that helps execute the WaterMiner malware and then verifies whether or not the machine has already been infected with the malicious software. If not, the miner creates an infection marker.

"While examining the downloader, Minerva found unique indicators, which helped trace the source code of an earlier version on Pastebin," researchers continued. "The author's comments within the source explicitly refer to the 'mining functionality and indicate that the attacker intentionally included the miner as part of the mod'."

The WaterMiner malware, once activated, uses TCP port 45560 to communicate with a mining pool that combines the infected machine's computational resources with that of multiple other miners to share resources and distribute Monero rewards accordingly.

However, researchers noted that 0pc0d3r's "poor operational security" suggested that the threat actor is not an experienced cybercriminal. One of the malicious mods was offered up on the Russian social network VK by a person going by the name Anton. The individual's last name was redacted by Minerva.

When another user accused that Anton was reselling someone else's work, Anton proudly admitted to being 0pc0d3r and the author of the malicious mods and cryptominer.

The latest cryptominer comes amid an uptick in cryptocurrency mining malware campaigns and growing JavaScript-based cryptominers. A number of sites such as The Pirate Bay have also been found to be using cryptominers such as Coinhive as an alternative source of revenue to advertising.

"There cannot be good without bad, and this applies to the rapidly growing industry of cryptocurrencies," Minerva researchers said. "This innovative field, mixing cutting-edge cryptography with abstract economic ideas like 'fungibility', is not immune to individuals abusing it to make quick money through illicit means.

"At the moment, cryptominers are not very sophisticated and blacklisting host and port combinations will successfully block most miners. However, we predict that mining malware will become increasingly sophisticated and will manoeuvre around firewall and IPSIDS products."