Info-stealing Malware Found in GTA V

Written by

Grand Theft Auto fans have been warned off loading two game modifications (mods) which were found to contain hidden trojan malware designed to steal sensitive information from their machines.

The GTA V mods in question are Angry Planes – designed to divebomb the player with aggressive aircraft – and No Clip, which is said to give the user the ability to walk through walls and other objects.

A few days ago a worried user took to the GTA forum to reveal that although the mods worked as advertised, they also tried to covertly install the fade.exe file.

The file turned out to be malware, identified as Trojan.Agent.TRK by Malwarebytes, which attempt to connect to the internet and send out recorded keystrokes.

The concern is that the hackers behind this attack could steal passwords used for GTA which are reused by users on other, high-risk online accounts, such as e-commerce and banking.

The Grand Theft Auto forum has tips on how to remove the trojan, and warns that even if the file in question doesn’t exist now it may have already stolen the required credentials before deleting itself or being wiped by AV software.

“If your anti-virus removed or quarantined the virus, don’t assume that you weren’t affected. Still go through all the steps below and change passwords you believe are at risk,” noted the advice.

“If the files don’t exist and your anti-virus didn’t remove anything, but you still ran the mods, the virus could have still affected you and removed itself to cover its tracks. It’s unknown if this is really the case but why run with the risk? Go through all the steps again to make sure, and then change your passwords.”

Users were also urged to change their passwords if in any doubt, and if still worried, to format and reinstall Windows.

The fade.exe file itself is a .NET 4 assembly using Exeinfo PE and obfuscated using SmartAssembly, according to Malwarebytes analyst Joshua Cannell.

“Assembly loaders are becoming more popular, another was used not long ago in the xtube exploit malware that was identified as Cryptowall. With .NET being installed on almost every Windows computer nowadays, malware authors have a high chance of success using .NET to deliver malware,” he claimed in a blog post.

“Loading malware into game add-ons has been around for some time now. Because of this, gamers need to be cautious when installing mods onto their computers, especially those that haven’t gone through any sort of quality check.”

What’s hot on Infosecurity Magazine?