Fortnite, the wildly popular video game over which schools have expressed disdain, is currently being used as an attack vector for malware disguised as cheating software. According to an October 2 post from Christopher Boyd, the lead malware intelligence analyst at Malwarebytes Labs, thousands of users have been inadvertently downloading malicious software.
Malware Disguised as Cheating Software
This bug has led user’s data being stolen, including information pertaining to cryptocurrency wallets. Malwarebytes found that the malware was being distributed through several YouTube videos offering “free season passes” and “free Android versions” of the game. Fortnite initially launched in July 2017, had a free-to-play game mode released by its developer, Epic Games, in September 2017.
Malwarebytes needed to go through a series of steps to find the malware, including subscribing to specific YouTube channels, visiting various other websites and completing surveys. Some of the videos mentioned had titles along the lines of “New Season 6 Fortnite Hack Cheat Free Download September 2018/WH/Aimbot/Undetectable,” “Fortnite Cheat,” and “Fortnite Hack Free Download.”
Notably, this isn’t the first time Fortnite players have been targeted by malware. Security experts at game-streaming platform Rainway unearthed a similar virus on July 5, 2017. The scam promised Fortnite players an unlimited amount of in-game currency, as well as the ability to purchase items, such as skins and dance moves for free.
Current attempts cannot be considered a pure a sham since malicious actors are now trying to steal data and bitcoin from unsuspecting users. In one of the videos, Boyd said that scammers redirected Fortnite players to a website called Sub2Unlock. The page connected the visitor to a YouTube channel, which they are then asked to subscribe.
Once the user subscribes to the channel, they are redirected to the download portal. The page claims to provide Fortnite users with a wide range of hacking services such as aimbots, bogus cheats, and wallhacks. However, the programs downloaded are not only entirely useless for their intended purpose, but also contain embedded data-stealing malware. After the executable file is opened, it performs a few functions before sending potentially sensitive data to Russian servers.
Boyd also stated that the malware scans for Steam sessions, bitcoin wallets, and cookies, which are then exfiltrated to the attackers. One YouTube channel has attracted over 700 subscribers so far, whereas a new video received around 2,200 views within the first day of its release. The malicious file has been classified to be a Trojan.Malpack by Malwarebytes. The company noted that the trojan is unique as it can distribute multiple malicious tools at once, with each payload designed to house a different data exfiltration capability.
However, their method of operation is similar; Attackers invade the victim’s computer and exploits its resources. They then use a custom method of transferring the stolen data to the scammer’s servers.