CounterStrike gamers looking for an advantage over their competition might be in for a surprise this Christmas, as there's a booby-trapped cheat tool going around that will overwrite their hard drive MBR (Master Boot Record) and prevent their computers from booting.

Discovered by a Twitter user that goes by the name of @YoureMom696 and analyzed by @MalwreHunterTeam, this malicious package is spread around as the source code of a CounterStrike: Global Offensive (CS:GO) hacking application named ExternalCounterstrike.

Below is the content of the ExternalCounterstrike archive [without the "fuck_mpgh.exe" file, which is downloaded at a later stage, more on this later].

ExternalCounterstrike archive content

"When you open the solution [.sln] file, it loads the .csproj file, which executes a PowerShell command, which downloads and run the [fuck_mpgh]exe binary," MalwareHunter, a security researcher with the MalwareHunterTeam, told Bleeping Computer.

Cheating tool source code

This EXE file rewrites the user's hard drive MBR (Master Boot Record) with a custom boot routine that only shows a piece of text, as portrayed below. The text reads:

Multiplayer Game Hacking
As you reboot, you find that something has overwritten your MBR!
It is a sad thing your adventures have ended here.
This is the result of the incompetent file analyzers from MPGH.
If you need cheats, use something else than MPGH.
Greetings from ULLR. <3

Boot screen message

The message references MPGH, which stands for "MultiPlayer Game Hacking & Cheats," a well-known forum for downloading gaming cheats.

Taking into account the message's anti-MPGH tone and the name of the second-stage EXE download (fuck_mpgh.exe), it's very likely that a malware author is trolling the MPGH forum and its users, infecting the ones looking for new CS:GO cheating tools with an MBR-hijacker.

Connection to the Fosshub incident?

The MBR boot message is eerily similar to another incident that took place over the summer when a hacker from the Peggle Crew had breached Fosshub and embedded malware inside the files hosted on the website.

The malware that was delivered via Fosshub was also rewriting MBR boot sectors with a custom message, similar to the one found inside ExternalCounterstrike.

Boot screen message in the Fosshub incident
Boot screen message in the Fosshub incident [Source: Erik Slovak]


Related Articles:

Shamoon Disk-Wiping Malware Re-Emerges with a Third Variant