Hackers have created a fake ‘Cthulhu World’ play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims.
As play-to-earn games rise in popularity, scammers and threat actors increasingly target these new platforms for malicious activities.
Such is the case with a new malware distribution campaign discovered by cybersecurity researcher iamdeadlyz, where threat actors created a whole project to promote a fake play-to-earn game called Cthulhu World.
To promote the “project”, threat actors are sending direct messages to users on Twitter asking if they would like to perform a test of their new game. In return for testing and promoting the game, iamdeadlyz says that the threat actors promise a reward in Ethereum.
Source: iamdeadlyz
When visiting the cthulhu-world.com site, which is now down, users are greeted with a well-designed website, containing information about the project and an interactive map of the game’s environments.
However, this site appears to be a clone of the legitimate Alchemic World project, which has been warning users to stay away from the fake project.
The Cthulhu World website also has a big difference; when a user clicks on the arrow in the upper right-hand corner of the site, the visitor will bring them to a webpage asking for a code to download the “alpha” test of the project.
The threat actors share these codes with prospective victims as part of their DM conversations on Twitter. A list of the access codes is also found in the site’s source code, as shown below.
Source: BleepingComputer
Depending on the code entered, one of three files will be downloaded from DropBox.
Source: BleepingComputer
Each of the three files installs a different malware, likely allowing the threat actors to pick and choose how they wish to target a particular user. The three malware identified by AnyRun installs are AsyncRAT, RedLine Stealer, and Raccoon Stealer.
6/
IOCs#RaccoonStealer
436d6f0beaa8cc02b1a3227bcb7d5373
C&C: 213.252.244[.]230:80https://t.co/mT3DKguO92#AsyncRAT
0ae0184bc3d03a4981ec2baab0649434
C&C: 193.124.22[.]17:4449https://t.co/83h8q6ACLE#RedLineStealerhttps://t.co/ElWxX9Xavf
C&C: 77.73.134[.]5:30812
— iamdeadlyz.pcc.eth | YGG (@Iamdeadlyz) August 25, 2022
The website for Cthulhu World is currently down, but their Discord remains active. It is unclear who on this Discord is aware that the site is distributing malware, but some users clearly believe this is a legitimate project.
As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam.
If you have visited Cthulhu-world.com and downloaded any of their software, you should immediately run an antivirus scan on your computer and remove anything detected.
Furthermore, as these malware infections steal your saved passwords, cookies, and crypto wallets, you should reset all passwords and create new wallets to import your cryptocurrency.
Ultimately, though, the wisest course of action is to reinstall your computer from scratch, as these malware infections provide full access to an infected computer, and other undetected malware may still be installed.