A team of cybersecurity researchers at Dr. Web has disclosed that an attacker has been using malicious gaming servers to silently compromise computers of Counter-Strike gamers worldwide by exploiting zero-day vulnerabilities in the game client.
According to the researchers, Counter-Strike 1.6, a popular game that’s almost two decades old, contains unpatched multiple remote code execution (RCE) vulnerabilities in its client software that let attackers execute arbitrary code on the gamer’s computer as soon as they connect to a malicious server, without requiring any further interaction from the gamers.
It turned out that a Russian gaming server developer, nicknamed ‘Belonard,’ has been exploiting these vulnerabilities in the wild to promote his business and create a botnet of compromised gamers’ systems by infecting them with a custom Trojan.
Dubbed Belonard, the Trojan named after its developer has been designed to gain persistence, replace the list of available game servers in the vulnerable game client installed on the infected systems, and create proxies to further spread the Trojan.
Besides this, the rogue developer is also distributing a modified or pirated version of the game client via his website that is already infected with the Belonard Trojan.
“As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computers become infected with Trojan.Belonard,” Dr. Web said in a report published Wednesday.
One of the 11 components of the Trojan acts as a protector of the malicious client that “filters requests, files, and commands received from other game servers and transfers data about attempted changes to the client to the Trojan developer’s server.”
Here’s the attack flow diagram demonstrating how Belonard works and infects gamers computers:
The malware also registers created proxy game servers with the Steam API and uses encryption to store data on the system and to communicate with its remote command-and-control server.
“According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan,” the researchers say.
Additionally, Dr. Web researchers also reported malicious domain names used by the malware developer to the Russian web registrar, who then suspend multiple domains in an attempt to take down the botnet.
“This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.”
Researchers have already reported the vulnerabilities to the Valve Corporation, developer of the Counter-Strike 1.6 game.
However, taking down a few domains would not stop attackers from setting up more malicious servers unless the Counter-Strike developers patch the reported remote code execution vulnerabilities in its gaming software.