New CS:GO Cheating App for MacOS Contains a Malicious Monero Miner

Users of the MacOS operating system should steer clear of a new CS:GO “cheat” known as vHook. Anyone who plays Counter-Strike: Global Offense is always looking to gain a competitive edge in one way or another. Resorting to cheats is frowned upon, but it is also the only option in the minds of some players. The new vHook cheating app for MacOS should not be trusted, as it installs nefarious cryptocurrency mining software on devices.

CS:GO Cheating on MacOS Has Multiple Consequences

We never condone cheating of any kind when it comes to online gaming, especially if that game is part of the growing eSports industry. CS:GO is one of the most well-known games in the world, and it is both competitive and fun to play. However, the game is haunted by cheaters who try to take advantage of technologies such as vHook applications. Addressing these cheats has been quite a challenge, yet it has also attracted the attention of cybercriminals looking to get their hands on some more cryptocurrency.

Criminals are now packaging a new CS:GO vHook cheating app containing cryptocurrency mining malware. Interestingly, this new toolkit is designed specifically for MacOS users. The vast majority of CS:GO gamers use the Windows operating system, thus targeting MacOS users seems like a weird decision. Only time will tell if any MacOS gamers are affected by the new malware distribution campaign.

Unfortunately, there is a precedent for packaging a CS:GO cheating tool with malware. A similar incident occurred back in December of 2016. That particular malware had nothing to do with cryptocurrency mining, though. Instead, the toolkit successfully rewrote a player’s master boot record altogether, which prevented their machine from rebooting. It was a way to successfully eliminate some of the other competitive CS:GO players, although the method of attack raised a lot of questions at the time.

It appears this new CS:GO vHook cheating app for MacOS is distributed through the website. Knowing which website distributes this malware-laden package should make it easier for researchers to ensure it is taken offline. Whether or not that will actually happen remains to be seen. The website has been around for quite some time and is still accessible at the time of writing. The tool also has a few dedicated YouTube advertisement videos to help spread awareness. It is based on the original vHook cheating app, which has been around for almost as long as the game exists.

What is rather remarkable is the cryptocurrency mining malware itself. This is another instance of cybercriminals actively distributing malware capable of mining the Monero cryptocurrency. Since Monero is far more anonymous than Bitcoin – and rather profitable as well – it makes a lot more sense to hijack other people’s computing resources to mine XMR instead of BTC. The malware goes by the name OSX.Pwnet.A and has been specially modified to wreak havoc in the MacOS ecosystem.

As we have seen with other types of cryptocurrency mining malware, the criminals use the MinerGate pool to mine XMR with other people’s computers. This has become somewhat of a trend and two user accounts have been identified as participants in this malware’s distribution. The malware itself is a rewritten Minergate-cli package written for the QT framework. There is also evidence of this malware having been developed by a criminal distributing yet another type of cryptocurrency miner.