Hackingblogs: It is reasonable to say that there is always some risk associated with game cheats, regardless of how profitable or high-end they may appear.
The creator of the popular Escape From Tarkov cheat, EvolvedAim, was recently involved in a significant controversy. It turned out that the passionate programmer had secretly distributed spyware that stole user data in addition to his cheat, which he provided for a paid subscription.
Over time, Escape From Tarkov has grown in popularity as a realistic and intense military simulator. With 14.7 million players, the market for illegal cheats was growing. EvolvedAim is one of those cheats; it offers a lot of features, such as automated trade in the game’s inbuilt auction house and automatic skill training through repeated use. The creator has conducted business like a tiny software firm, creating advertisements on several forms related to cheating and even creating a staged recurring revenue scheme.
Not only is Escape From Tarkov a well-liked game for young people (25 and over), but as you can see above, this specific trick is part of a subscription payment structure that requires actual money. This suggests that adults make up the bulk of the impacted users. As explained in greater detail below, the information that was stolen from these people may be utilised to turn around and obtain access to private data and even businesses throughout the globe.
EDP is the owner of one of the biggest forums dedicated to Tarkov cheats and bots. He also runs a significant marketplace that receives over 30,000 views each month. The main creator of EvolvedAim, the cheat that may have malware incorporated in it, Mythical, approached EDP around a year ago with the intention of selling his program on the forum and splitting the proceeds with him.
Their fight started from Mythical’s desire to keep selling on his forum and reduce the percentage of EDP’s earnings that he received. At approximately the same time, EDP discovered that his accounts were the target of multiple suspicious logging attempts and that his desktop screenshots were regularly released.
Understanding EvolvedAim: A Malware Breakdown
EvolvedAim: What is it ?
The application EvolvedAim was developed with Python 3.10 and assembled into an executable file using PyInstaller. Analysts can more easily look at what the programme accomplishes with this approach.
Step 1: Coding Extraction
Pyinstxtractor is the tool we use to analyse the executable. With the aid of this utility, we may extract the executable’s embedded Python files, or.pyc files. These files include bytecode, which is difficult for humans to read yet low-level code that the Python interpreter can comprehend.
Step 2: Code Decompilation
We utilise pycdc, another programme, to rewrite the bytecode into a format that is readable by humans. But there is a catch: decompiling tools for Python do not completely support Python versions above 3.8, which may result in issues. Sometimes the output only displays a portion of the code, which complicates examination.
In the event that these problems arise, pycdc offers an additional tool called pycdas, which assists in converting bytecode into a more comprehensible format, although not completely.
Behaviour at Runtime
Upon launching EvolvedAim, a dialogue requesting a licence key appears. The catch is that the programme has already begun stealing your information in the background while you are entering in your key!
Four threads, or independent jobs operating simultaneously, are used by Programme Logic EvolvedAim to carry out its operations:
Benign Threads: These carry out the program’s normal operations and are safe.
Malicious Threads: These threads steal information and go under identities that seem innocent. For instance, the theft of confidential information is carried out by a single thread known as meme_detector.
String Decryption
Some important pieces of information within EvolvedAim are encrypted. When the program runs, it uses a function called overlay.decrypt_bot_string to decrypt this data using AES encryption. This allows the attacker to access various sensitive details like login credentials and URLs used for malicious purposes.
autu_enc = overlay.decrypt_bot_string('353239313430353738393039313134308f13e0577c6a4a9dbc2f39a0bda73d5f')Here are a few examples of what was found after decryption:
- Credentials for a file-sharing service
- SQL server login details
- Discord webhook URLs for notifications
autu_enc = 'EvolvedTarkovBot'
auto_enc = 'tdmigO6jXK'
auts_enc = '5141f47bbf3fbc01f5270224bf51229ab214957ad30t31a118620889a09c072x'
wh1_enc = 'https://discord.com/api/webhooks/<REDACTED>/3x7y9Mm2DhtSh2W4Cz1iTkXor9a85Q_cYf5n0H8CK-Tz-HmNCudH4_AmK5e8P2y-QS5J'
wh2_enc = 'https://discord.com/api/webhooks/<REDACTED>/sQLOKdK4N8q13PrW6w-LVbROhlPbSoKXuUoBlQ3UPZxOw5RWsecicPtuiJHiO5G254fo'
meu_enc = '<EVOLVE AIM EMAIL>@gmail.com'
mep_enc = '<MEGA PASSWORD>'
edbu_enc = 'admin'
edbp_enc = '<SQL DB PASSWORD>'
edbh_enc = 'evolve-data.<REDACTED>.us-east-2.rds.amazonaws.com'
edb_enc = 'evolve_db'Data Collection and Exfiltration
The program collects data in the following way:
- It checks the victim’s PC name to ensure it isn’t running on a developer’s machine (they’ve blacklisted their own names).
- If all checks are passed, it gathers sensitive information, such as passwords and cookies, from various browsers (like Chrome and Firefox) and even steals files from cryptocurrency wallets like MetaMask.
- It then creates a zip file containing all this stolen information and uploads it to Mega.nz, a file-hosting service.
- Finally, it sends a notification to the attacker via a Discord webhook, letting them know the job is done.
Command and Control
EvolvedAim includes a thread called discord_to_bot that allows attackers to send commands to the infected computer through a MySQL database. Here are the types of commands that can be sent:
- Stop: Kill the process “EscapeFromTarkov.exe,” which is the main game executable.
- Delete: Delete a specific file or folder from the victim’s PC.
- Grab: Collect an arbitrary file or folder from the victim and upload it to Mega.nz.
- Remove: Delete the command from the database used to check if the client is still active.
While active, the SQL database might look something like this:
mathematicaCopy code| Command | Target | Status |
|---------|-------------------------------|---------|
| Stop | EscapeFromTarkov.exe | Active |
| Delete | C:\Users\Victim\Documents\...| Pending |
| Grab | C:\Users\Victim\Pictures\... | Pending |
The cheat designer, Mythical, was banned from all gaming communities he collaborated with after his fraud was exposed. Initial estimates indicate that the attacker caused the lives of somewhat more than a thousand people. The creator has stopped working on the project, the EvolvedAim programme is no longer available, and its Discord server has closed.
This instance demonstrates the terrible consequences that might result from cheating. Users put business resources at risk in addition to paying for access to the cheat and running the risk of losing their personal information.
