Mods are a staple in gaming, enhancing the experience by adding customization’s, features, or improvements that the base game might lack. However, mods also carry risks, as seen in a recent incident in the City Skylines 2 community. A malicious actor compromised the Traffic Manager mod, a highly popular add-on with over 372,000 subscribers, turning it into a vehicle for malware distribution.
The Malware’s Modus Operandi
The attack began when a hacker gained access to the mod uploader’s account and replaced the legitimate Traffic Manager mod files with a tampered version. Among the files included was FastMath.dll, a seemingly innocuous library designed to improve game performance. In reality, it served as the malware’s first stage, initiating a chain of sophisticated attacks.
The malware utilized:
- Hidden Payloads: Through FastMath.dll, the malware executed obfuscated operations to load a second-stage payload (ProfApi.dll).
- Custom Encryption: XOR encoding further masked the malicious code, allowing it to bypass antivirus software.
- Advanced DLL Injection: The malware used process environment block (PEB) walking to identify critical system functions, effectively sidestepping signature-based antivirus detection.
Community Investigation
The malware was uncovered thanks to collaboration among several Reddit communities, including r/Antivirus and r/CitySkylines. Reverse engineers used tools like Ghidra to analyze the mod’s structure, revealing how the malware bypassed traditional detection methods. It targeted cryptocurrency wallets, like Exodus, stealing sensitive data from unsuspecting users.
Key Takeaways for Gamers
- Verify Mod Sources: Always download mods from trusted sources and verify their authenticity.
- Understand the Risks: Mods are essentially executable code, which can be exploited to harm your system.
- Leverage Community Resources: If in doubt, seek advice from gaming or cybersecurity communities.
The Bigger Picture
This incident highlights the importance of caution when modifying games. While mods can enhance gameplay, they also pose significant security risks. Developers and modding platforms must prioritize authentication and security to prevent similar incidents.
Stay vigilant, gamers—your city may be safe, but your data might not be.