Yesterday, a reddit user posted about mods for GTA 5 containing malware. The affected mods were identified as No-Clip and Angry Planes.

gta5red

 

This conversation was started as a result of a thread on the gtaforums.com website seen here.

The installed malware has a black dove logo and has been identified as “fade.exe” or “Trekker.exe”. Malwarebytes Anti-Malware identified it as Trojan.Agent.TRK.

fade_bird

Taking a closer look, this file was identified as a .NET 4 assembly using Exeinfo PE. It has also been obfuscated using SmartAssembly, which was removed using the powerful de4dot de-obfuscator.

fadeexeinfo

The entry point is a typical .NET loader, de-obfuscating an array of bytes and storing it in variable “c”. A de-obfuscated PE is placed into “c” after a call to smethod_1. The new executable is called using the Invoke method.

fade_entrypoint

Assembly loaders are becoming more popular, another was used not long ago in the xtube exploit malware that was identified as Cryptowall. With .NET being installed on almost every Windows computer nowadays, malware authors have a high chance of success using .NET to deliver malware.

Loading malware into games add-ons has been around for some time now. Because of this, gamers need to be cautious when installing mods onto their computers, especially those that haven’t gone through any sort of quality check. Always make sure to scan a mod using Malwarebytes Anti-Malware before installing it to make sure you stay safe.

@joshcannell