Video games as a service are a popular model among game publishers. Why sell a game with a beginning, middle, and end when you can just keep producing content for the same game and keep the audience (and their wallets) hooked? This is one of the reasons old-school gaming consoles are making a comeback. But what if hackers tried the same tactic and, as a bonus, offered a free Minecraft “skin” to their customers?
Recently, McAfee announced that it had discovered a new malware attack campaign dubbed “WeedHack”. This virus, which first appeared on the Internet in January this year, is not ordinary malware but a “Malware-as-a-Service” program that users can purchase to infect potential victims. The virus itself acts like a standard remote access information stealer: once a computer is infected, WeedHack can manipulate a target’s screen and access their webcam and data, but things get really sinister when you look at how it spreads.
According to McAfee, WeedHack users typically lure victims by promising unofficial “Minecraft” mods and clients, like those found on file-hosting sites. Many use videos from these mods and clients as bait, with download links as a teaser, and anyone who downloads files from the sources provided is infected. Another popular method is “SEO poisoning”, where WeedHack users host their own websites, pretend they are the only legitimate source of their “client” or “mod”, and spread the word on sites such as Discord and Reddit.
How the virus works
Since “Minecraft” remains popular to this day, many bad actors like to disguise their viruses as a game. Recently, a cybersecurity group discovered more than 200 fake apps designed to steal money from phone bills through an automated subscription engine, and some of these “apps” were disguised as “Minecraft.” Meanwhile, WeedHack uses cryptocurrency to snoop on victims’ computers. No, seriously.
When a WeedHack payload is initially downloaded, it starts as a JAR file (short for Java Archive). This should not alert victims, since the official “Minecraft” client is written in Java. But once executed, the malware relaunches itself as a new executable and decrypts a list of Ethereum server domains and Ethereum smart contract addresses. These servers host the main WeedHack payload and install it on compromised computers. Once the second wave of malware is installed, it unpacks its files and begins installing and running its own scripts. One of WeedHack’s most malicious tricks is that during this phase it adds itself to antivirus exclusion lists so that it can continue unmolested. Microsoft says you no longer need third-party antivirus suites, but according to McAfee’s tests, Windows Defender was unable to stop WeedHack.
As WeedHack continues to infiltrate a victim’s system, it will collect as much information as possible about the host’s computer, including connected Wi-Fi networks, browser cookies, and Discord tokens. Finally, WeedHack implements remote access features that give hackers the keys to your virtual kingdom (i.e. your computer). Once fully integrated, WeedHack handlers can spy on you through your webcam, steal your crypto wallet credentials, and set up scheduled tasks to keep your computer infected.
WeedHack is as much a virus as it is a community
VR VIRUS/Shutterstock
Although McAfee believes that a single “threat actor” is behind the malicious code that makes up WeedHack malware, the virus is particularly insidious because it is not just a virus that infects users. WeedHack is also a real training program for future hackers.
According to McAfee’s findings, WeedHack virus is divided into two levels. The first tier (free) includes WeedHack and its core information-stealing features, but users can pay for subscriptions (starting at $5 per month) that add features like webcam access and keyloggers. Yes, a hacker actually took a page from the freemium MMO playbook, but the situation is even worse.
According to McAfee’s findings, an entire community has formed around WeedHack. The Original Coder offers tutorials on topics like using WeedHack, target selection, and attack optimization. Additionally, the original threat actor treats its customers as if they were friends on a Discord server. The WeedHack community has a dedicated website, complete with a suggestion box where subscribers can request features, a leaderboard that encourages subscribers to accumulate as many kills as possible, and a “Build” section where subscribers can create custom WeedHack payloads and infect legitimate Minecraft mods. McAfee believes that WeedHack owes its effectiveness and lethality to this focus on community, because it lowers the barrier to entry by teaching newcomers the ropes. That, and WeedHack uses “Minecraft” as a vehicle because its primary audience is kids who don’t really understand how to stay safe online.
