TLDR: There's a worm on the loose for a 14 year old game because threat actors get bored, and Activision is lazy.
On July 26, players received a critical warning about a malware outbreak through a post on the popular gaming platform Steam. A concerned user took to the site to caution Call of Duty: Modern Warfare 2 players about the presence of hackers who were launching attacks using compromised lobbies. To safeguard themselves, players were advised to run antivirus software before diving into the game, and multiplayer servers were temporarily taken offline while Activision investigated further.
This particular malware was identified as a self-replicating worm, a malicious program specifically designed to spread across multiple devices. Unlike other types of malware, worms don't rely on a human or host program to activate. Once downloaded onto a device, they independently execute their programming, enabling them to proliferate rapidly.
The consequences of this worm's presence on devices can be devastating. It can consume valuable disk space and even delete files to facilitate its reproduction. Furthermore, if the worm carries a payload, it can be utilized by malicious actors to cause even greater harm.
Curiously, upon further investigation in the same forum thread that warned about the malware, a player discovered that the worm seemed to be specifically tailored for Call of Duty: Modern Warfare 2. Speculation arose among gamers regarding the worm's purpose, with some noting that its dynamic-link library (DLL) appeared to be designed to detect and prevent access to custom lobbies. Additionally, users observed that the worm employed remote code execution (RCE), while simultaneously blocking any RCE attempts on its host device.
This is a great reminder that there is no such thing as an "out of date" attack vector, just danger we forget to remember to care about. However, this exploit was never originally forgotten about when it was discovered. A fellow security researcher by the name of Maurice Heumann told TechCrunch that the malware is using a bug and accompanying technique to exploit the game that he himself discovered and reported in 2018 to Activision, the gaming giant that publishes the Call of Duty series.
According to Heumann, Activision failed to address the bug even after he brought it to their attention. This lack of action led Heumann to refrain from publishing the details of the bug, as it could potentially expose players to further risks. Describing the bug, Heumann emphasized its simplicity, stating that it is a straightforward buffer overflow vulnerability with minimal limitations. He further emphasized that crafting a full-fledged exploit for this bug is an easy task.
At BeeHive, we were thankful to have no records of this exploit ending up on any clients, and were able to obtain a sample of said worm for analysis and signature creation.
Detected As
Malware@#3rtiew2ohk48e
Detected By
AntiVirus
Managed Detection and Response (All Tiers)
Demonstrated Behaviors
Self-Execution
Execution / Load
The malicious file creates a child process as rundll32.exe
This child process immediately calls
| injection_rwx_memory |
0x00000040, NtProtectVirtualMemory |
This child process accesses the following files/file sources
- C:\Users\user\AppData\Local\Temp\45eacb558c3dd24b487fc64357fda01e03e0f79b.dll
- C:\Users\user\AppData\Local\Temp\45eacb558c3dd24b487fc64357fda01e03e0f79b.dll.123.Manifest
- C:\Users\user\AppData\Local\Temp\45eacb558c3dd24b487fc64357fda01e03e0f79b.dll.124.Manifest
- C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
- C:\Windows\Fonts\staticcache.dat
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
This child process reads the following registry key values/locations
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
The child process makes registry changes at the following locations
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
The child process resolves the following onboard API's
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsGetValue
- kernel32.dll.LCMapStringEx
- kernel32.dll.FlsFree
- kernel32.dll.InitOnceExecuteOnce
- kernel32.dll.CreateEventExW
- kernel32.dll.CreateSemaphoreW
- kernel32.dll.CreateSemaphoreExW
- kernel32.dll.CreateThreadpoolTimer
- kernel32.dll.SetThreadpoolTimer
- kernel32.dll.WaitForThreadpoolTimerCallbacks
- kernel32.dll.CloseThreadpoolTimer
- kernel32.dll.CreateThreadpoolWait
- kernel32.dll.SetThreadpoolWait
- kernel32.dll.CloseThreadpoolWait
- kernel32.dll.FlushProcessWriteBuffers
- kernel32.dll.FreeLibraryWhenCallbackReturns
- kernel32.dll.GetCurrentProcessorNumber
- kernel32.dll.CreateSymbolicLinkW
- kernel32.dll.GetTickCount64
- kernel32.dll.GetFileInformationByHandleEx
- kernel32.dll.SetFileInformationByHandle
- kernel32.dll.InitializeConditionVariable
- kernel32.dll.WakeConditionVariable
- kernel32.dll.WakeAllConditionVariable
- kernel32.dll.SleepConditionVariableCS
- kernel32.dll.InitializeSRWLock
- kernel32.dll.AcquireSRWLockExclusive
- kernel32.dll.TryAcquireSRWLockExclusive
- kernel32.dll.ReleaseSRWLockExclusive
- kernel32.dll.SleepConditionVariableSRW
- kernel32.dll.CreateThreadpoolWork
- kernel32.dll.SubmitThreadpoolWork
- kernel32.dll.CloseThreadpoolWork
- kernel32.dll.CompareStringEx
- kernel32.dll.GetLocaleInfoEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.EnumSystemLocalesEx
- kernel32.dll.GetDateFormatEx
- kernel32.dll.GetTimeFormatEx
- kernel32.dll.GetUserDefaultLocaleName
- kernel32.dll.IsValidLocaleName
- kernel32.dll.LCIDToLocaleName
- kernel32.dll.LocaleNameToLCID
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- gdi32.dll.GetFontAssocStatus
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- oleaut32.dll.#500
PE Sections
| Name |
Virtual Address |
Virtual Size |
Raw Size |
Entropy |
MD5 |
| .text |
0x1000 |
0x38cb4 |
0x38e00 |
6.61847535624 |
fd0e0036526f3e14aa7787ade0477e84 |
| .rdata |
0x3a000 |
0x120e4 |
0x12200 |
5.56553051707 |
cce73345630ed94826328e1297d67a66 |
| .data |
0x4d000 |
0x2c9c |
0x1a00 |
4.15881786597 |
654fde90ffd165538953b8d03f3d257d |
| .rsrc |
0x50000 |
0x1e0 |
0x200 |
4.7085533373 |
cec0ee048480abda472db7c8de82fe62 |
| .reloc |
0x51000 |
0x318c |
0x3200 |
6.59491948142 |
a30a9d0dbb44eec2665b0b0147f8e773 |
Known Mutexes
- CicLoadWinStaWinSta0
- Local\MSCTF.CtfMonitorInstMutexDefault1
Network Behavior
| Call Time During Execution(sec) |
Source IP |
Dest IP |
Dest Port |
| 3.04141998291 |
Sandbox |
224.0.0.252 |
5355 |
| 3.09518814087 |
Sandbox |
224.0.0.252 |
5355 |
| 3.09590005875 |
Sandbox |
192.168.56.255 |
137 |
| 3.11328005791 |
Sandbox |
239.255.255.250 |
3702 |
| 5.6616961956 |
Sandbox |
224.0.0.252 |
5355 |
About This Sample
| File Name: |
CB000ABED31B92B4F3F895A633EF0FFAF01A1BE0DFC73619ACF98C1605A5999D |
| File Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| SHA1: |
45eacb558c3dd24b487fc64357fda01e03e0f79b |
| MD5: |
0275c0a4618bb9a8cab9764d5d9f9ee9 |
Provided By
|
VX-Underground |
