Counter-Strike: Global Offensive (CS:GO) players looking to get a leg up on the competition by using the vHook cheating app for macOS were also infected with a cryptocurrency miner.
This is not the first time when a CS:GO cheating tool was used as a disguise for malware. Back in December 2016, another CS:GO cheat was used to deploy malware that rewrote a player's hard-drive MBR section, rendering his computer unable to boot.
This time around, security researchers from SentinelOne came across a cheating tool that when installed on macOS devices would also install a Monero miner detected under the name of OSX.Pwnet.A.
The tool is advertised via YouTube videos [1, 2, 3] and the vlone.cc website, and is named vHook. It is based on the original vHook (Barbossa) CS:GO cheating app developed a few years back but improved and adapted to work on macOS.
The macOS version was modified by a GitHub user by the name of fetusfinn. The OSX.Pwnet.A miner also includes various debugger symbols referencing a user name Finn, most likely the malware's author.
Users that registered on the vlone.cc website and downloaded the free or paid version of vHook were infected with OSX.Pwnet.A.
The infection process wasn't automatic and straightforward, as users needed to enter their root user password before installing the app. Taking into account that this was a cheat tool that users purposely sought and downloaded/paid, most users would have provided the root password without batting an eye.
SentinelOne security researcher Arnaud Abbati says the Monero miner uses the user's resources to mine funds for two email addresses registered with the MinerGate service.
In fact, OSX.Pwnet.A is a modified version of the minergate-cli package written in for the Qt framework. One of the email addresses Finn used to collect Monero funds was also found in another macOS malware sample.
This is not the first malware hidden in gaming-related files discovered this week. Yesterday, ESET security researcher Tomáš Gardoň found the Joao trojan hidden in illegal copies of Aeria games, spread via unofficial websites. The trojan has backdoor, spying, and DDoS capabilities.