Attackers leverage zero-day RCE flaw in Counter-Strike 1.6 to infect users with Belonard malware

• The trojan is being distributed via 39% of all existing Counter-Strike 1.6 servers.
• Once executed, the trojan can enable the attackers to modify users’ CS1.6 clients and show ads inside users’ games.

A zero-day remote code execution (RCE) flaw in the official Counter-Strike 1.6 clients is being exploited by attackers to infect the players with a new strain of malware called Belonard. The trojan is being distributed via 39% of all existing Counter-Strike 1.6 servers.

The big picture - In a blog post, researchers from Russian antivirus firm Dr. Web disclosed that threat actors have set up the malicious servers in the attempt of hacking players’ computers worldwide.

When a gamer connects to one of these proxy servers, they would be redirected to malicious ones. This enables the cybercrooks to execute code and plant the Belonard trojan without the knowledge of the player. Later, these infected computers are used to make a botnet-like structure.

What are the capabilities of Belonard trojan - Once the trojan is executed on victims’ computer, it can enable the attackers to modify users’ CS1.6 clients and show ads inside users’ games.

"When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers,” Dr. Web security researcher Ivan Korolev noted.

In order to gain persistence and expand the infection process, the Belonard malware would create proxy servers running on users’ computers. These servers would then appear in the main CS1.6 multiplayer server list. The process is used to deceive the users, who connect to one of these malicious servers thinking it as a legitimate server.

How to protect yourself - Korolev told ZDNet that he has notified the issue to the CS1.6’s maker. In the meantime, users can recognize the proxy servers because of a bug in Belonard’s code. Due to the bug, the proxy servers display the server game type as 'Counter-Strike 1', 'Counter-Strike 2', or 'Counter-Strike 3', instead of the standard 'Counter-Strike 1.6'.