By Pei Han Liao | May 07, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
Many game makers allow users to alter a game's appearance or behavior to increase its enjoyment and replay value. Players can often also download packages created by others. However, this is also a chance for attackers to distribute their malware. This article examines a batch stealer distributed via a crafted Minecraft source pack.
The zEus stealer malware has been added to a source pack that was being shared on YouTube. The name—zEus—is from a previous variant of this malware. The variant (d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a) is also distributed via a Minecraft source pack, but it’s embedded in a WinRAR self-extract file. The self-extract file mimics a Windows screensaver file. It runs the stealer and opens the image used as a file icon. It’s an image from the Internet with the string “zEus” added. This name is also found in a profile of the Discord webhook receiving stolen data.
Figure 1: The string on the icon of the inserted file
Figure 2: The author’s name of the webhook is zEus
