Malicious Blender model files deliver StealC infostealing malware

News
By published

Another open source platform is being abused for malware

Avast cybersecurity
(Image credit: Avast)
  • Russian hackers exploit Blender’s Auto Run feature to deliver StealC infostealer via .blend files
  • Malware deployed through CGTrader assets, pulling payloads from Cloudflare Workers domains
  • StealC variant targets browsers, crypto wallets, chat apps, and VPN clients undetected

Blender has a convenient but risky feature which experts have found is being exploited by Russian hackers to deliver infostealer malware.

Cybersecurity researchers Morphisec observed the attacks in the wild and urged designers and other professionals to be vigilant.

Blender is a widely used open source 3D creation suite popular among artists, animators, game developers, and studios for everything from modeling and rendering to visual effects. There is also CGTrader, a marketplace where 3D artists and designers can buy, sell, and share user-generated models and assets for their projects.

Significant impact

Now, Morphisec says it saw Russia-linked cybercriminals upload .blend files with embedded Python code onto CGTrader.

The code pulls a malware loader from a Cloudflare Workers domain which, in turn, pulls two ZIP archives. These deploy two payloads, including a StealC infostealer and an auxiliary Python stealer, likely as a fallback.

Obviously, the Python code needs to be triggered. That is where the “convenient, but risky” feature comes in. It is called Auto Run, and if it is enabled, when a user opens a character rig, the script automatically loads the facial controls and custom UI panels and, consequently, triggers the malware deployment process.

StealC is a popular infostealer that’s been around for years and was observed in numerous high-profile campaigns. It is also constantly in development, with newer versions getting better at persistence, stealth, and infostealing capabilities.

This latest variant, used in this campaign, can pull data from more than 20 browsers, more than 100 cryptocurrency wallet browser extensions, more than 15 cryptocurrency wallet apps, the majority of chat apps, as well as VPN clients.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.