Game cheat developer “double dips” and attacks paying customers


A popular cheat for the Escape From Tarkov military simulator was found attacking its own clients and spreading malware to steal gamers' financial data.

Gamers have long-standing relationships with various software cheats that help them advance in the game settings faster. However, installing any executable files on your machine always poses a risk that a game cheat might cheat you in the end. Research by David El at CyberArk Labs has revealed that a popular game cheat sold online—EvolvedAim—was secretly running malware on the gamers' machines. The cheat is developed for the Escape From Tarkov video game, set in the fictional Norvinsk region in northwestern Russia, where a war is taking place between two private military companies.

The tool offers an extensive set of features, including automated trading in the game's built-in auction house and automatic skill training through repetitive actions.

The cheat developer has run the operation like a small software company, implementing a tiered recurring revenue model and launching ad campaigns on various cheat-related forums.

ADVERTISEMENT
EvolvedAim
Source: David El

Swipes gamers data

However, once purchased and executed, the malware hidden within the game cheat begins stealing sensitive user data. It collects passwords and cookie values from browsers, including:

  • Firefox
  • Opera
  • Chrome SxS
  • Tor
  • Opera GX
  • Amigo
  • Sputnik
  • Vivaldi
  • Torch
  • CentBrowser
  • Epic Privacy Browser
  • Yandex
  • Uran
  • Iridium

All files stored by the popular crypto wallet extension MetaMask are collected and uploaded. The same applies to sensitive files from Discord, a widely-used chat platform, and Steam, the leading online game store.

A list of files from the Documents and Downloads folders is gathered, and a screenshot of the victim’s PC is taken, giving the attacker a preview of the victim's computer.

All this collected information is temporarily stored in a folder and then compressed into a zip archive named after the victim's PC. The zip file is then uploaded to Mega.nz, a file hosting service used by the attacker to store and manage the data.

Double dipping and attacking its clients

ADVERTISEMENT

Following this discovery, EDP and several other forum owners issued public warnings to their users about EvolveAim and banned Mythical from their platforms,

the researcher said. EvolveAim is no longer operational, and its Discord server has been shut down.

“With a speculated clientele of over one thousand users and the targeted population group being young adults, the damage and amount of information stolen are significant,” said David El. “This impact is not confined to the victim, as people may log into work-related accounts on their personal computers, thus opening their workplace to potential danger.”

“Malware in cheats and cracked software is not uncommon, but this is the first case we’ve stumbled upon where a paywalled cheat developer is double dipping on the profits by attacking his own clients,” he concludes.