The gaming industry has once again become a battleground for cybercriminals. Specialists at McAfee have uncovered a new large-scale campaign called WeedHack, which exploits the popularity of Minecraft to infect computers. The attackers are not just spreading viruses; they have built a full-fledged "malware-as-a-service" business model, primarily trapping underage users.
A Trap Disguised as Mods
WeedHack activity was first detected in January. The primary targets are children and teenagers who frequently download unofficial modifications, graphical enhancements, and "skins" for the game from unverified sources. Hackers use two main strategies to distribute infected files:
- Thematic Platforms: Attackers upload gameplay videos to file-sharing sites, hiding links to viruses in the descriptions.
- SEO Poisoning: Websites are created to masquerade as official mod sources. Links to these resources are actively shared in Discord and Reddit communities.
The initial download of the malware occurs via a Java archive (JAR file). This does not raise suspicion among young gamers, as Minecraft itself is written in Java. However, once launched, the program restarts, decrypts a list of Ethereum server domains, and loads the main component via blockchain addresses.
Bypassing Protection and Total Surveillance
The danger of WeedHack lies in its ability to bypass standard security measures. During unpacking, scripts automatically add the virus's executable files to the antivirus exclusion list. McAfee tests showed that even the built-in Windows Defender is not always able to stop this process.
Once established in the system, the malware begins collecting confidential data. At the final stage, operators gain full remote access to the victim's device. This allows them to:
- Control the computer screen.
- Turn on and use the webcam for video surveillance.
- Create scheduled tasks to prevent the program from being deleted.
Business on Fear: Subscription for Camera Access
Analysts note that while WeedHack was developed by a single author, the project operates on a Malware-as-a-Service (MaaS) model. The system has a two-tier access structure, turning cyberattacks into a commercial product.
The basic functionality of the infostealer is provided to clients for free. However, advanced tools, including webcam access and keystroke logging (keylogger), are sold via subscription. The cost of such a "package" starts at $5 per month.
A specialized cyber-environment has been created around the platform, featuring instructions on target selection and attack optimization. The site contains a generator for personalized viruses, a form to order new features, and even a leaderboard tracking the number of successful infections by each participant.
Lowering the Barrier to Crime
McAfee experts warn that such detailed organization of the process significantly lowers the technical barrier to entry for cybercrime. This creates risks not only for the owners of infected computers but also for the teenagers themselves, who may become accomplices to crimes by using these accessible tools. In light of this, parents are strongly advised to exercise extreme caution and monitor the files their children download.