A notorious Brazilian cybercrime group, LofyGang, has re-emerged after a three-year hiatus, launching a new campaign that preys on Minecraft players with a sophisticated stealer malware dubbed LofyStealer, also known as GrabBot. The malware is disguised as a "Slinky" hack for the popular game, leveraging the official game icon to trick young users into voluntary execution and compromising their sensitive data.

Key Takeaways

• LofyGang, a Brazilian cybercrime group, has resurfaced after three years.

• They are targeting Minecraft players with a new stealer malware called LofyStealer.

• The malware is disguised as a "Slinky" Minecraft hack, using the official game icon.

• LofyStealer aims to steal credentials, cookies, tokens, and financial information from multiple web browsers.

• The group is also shifting towards a Malware-as-a-Service (MaaS) model.

The 'Slinky' Deception

The LofyStealer malware is presented to unsuspecting users as a "Slinky" hack for Minecraft. This tactic exploits the trust young gamers place in in-game modifications and tools. By using the official game icon, the attackers aim to increase the likelihood of voluntary execution, making it harder for traditional security measures to detect the threat.

Data Exfiltration and Targets

Once executed, the "Slinky" hack deploys LofyStealer, disguised as "chromelevator.exe." This malicious software operates in memory to harvest a wide array of sensitive information from popular web browsers, including Google Chrome, Microsoft Edge, Firefox, and others. The stolen data encompasses cookies, passwords, authentication tokens, credit card details, and International Bank Account Numbers (IBANs). This information is then exfiltrated to a command-and-control (C2) server.

Evolution of LofyGang's Tactics

Historically, LofyGang relied on JavaScript supply chain attacks, such as typosquatting on the npm registry, and payloads hidden within sub-dependencies. Their previous targets included Discord tokens and credit card data, often exfiltrated using legitimate services as C2 infrastructure. However, this new campaign signifies a shift towards a Malware-as-a-Service (MaaS) model, offering both free and premium tiers of their tools, alongside a custom builder named "Slinky Cracked" for delivering the stealer.

Broader Trend of Platform Abuse

This campaign is part of a growing trend where threat actors exploit trusted platforms like GitHub to distribute malware. Attackers create deceptive repositories, often disguised as legitimate software or game cheats, to lure users into downloading malicious payloads. Techniques like SEO poisoning and social engineering are employed to direct victims to these fake repositories. Security experts warn that these methods can bypass conventional security solutions by leveraging social trust and common download channels.

Sources

• Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign, The Hacker News.