OverwriteMBR

By GoldSparrow in Potentially Unwanted Programs

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 3
First Seen: December 28, 2016
Last Seen: February 25, 2020
OS(es) Affected: Windows

OverwriteMBR is a threat infection that is used to overwrite the victim's MBR (Master Boot Record). This has severe consequences on the affected computer. OverwriteMBR was saw being used in a campaign against cheaters of a popular online game.

The Threat Campaign Carried out byOverwriteMBR

Counter-Strike Global Offensive (CS:GO) is a popular online game that is plagued by cheaters, who use hacks to improve their chances against other players. External Counter-Strike is distributed as a program that allows players to see their online enemies through in-game obstacles and walls. These tools may be distributed on the website Mpgh.net. OverwriteMBR is currently being used to target cheaters that download this product. According to the file names and messages associated with OverwriteMBR, the creator of External Counter-Strike is someone that is targeting cheaters and Mpgh.net itself in an attempt to stop cheating on CS:GO. External Counter-Strike includes a PowerShell script that installs OverwriteMBR on any computer caught cheating at this online game.

How OverwriteMBR Attacks a Computer

When cheaters download the External Counterstrike program contained in a ZIP archive named ExternalCounterstrike.zip, they are asked to extract the contents to their desktops and then run an SLN file. This file includes two folders. When the SLN file is loaded, a project named 'MBR Virus.dat' runs. This project contains a PowerShell command that loads OverwriteMBR on the victim's computer. Windows executes these commands automatically. OverwriteMBR causes Windows to download an executable file named 'fuck_mpgh.exe' from a remote server onto the system drive. Once this file is executed, it overwrites the infected computer's MBR.

The MBR is used during startup by Windows to load all of the drivers, drives and system files. When OverwriteMBR overwrites the MBR, it causes the computer to become unable to load the Windows operating system. When the compromised computer starts up, instead of loading Windows, the following message will appear:

'Multiplayer Game Hacking
As you reboot, you find that something has overwritten your MBR!
It is a sad thing your adventures have ended here.
This is the result of the incompetent file analyzers from MPGH.
If you need cheats, use something else than MPGH.
Greetings from ULLR. <3'

Online Cheating and Threats Like OverwriteMBR

Although there is no justification for the creation and distribution of threats, it is important to note that cheating tools and cracked software are among the most common ways of distributing threats online. Computer users should use legitimate software from reliable sources and avoid pirated software, or third party cheating tools downloaded from shady forums or low-quality websites. While OverwriteMBR is used in a spiteful way to disable computer users' PCs, the most common threats distributed these way are typically used to collect the computer users' data (such as online banking passwords) or gain access to the victim's computer automatically. A reliable security program that is fully up-to-date should be capable of detecting and deleting OverwriteMBR before it carries out its attack.

There are connections between OverwriteMBR and other incidents targeting online cheaters or similar websites used to distribute this content. An incident over the summer of 2016 involving Fosshub had numerous elements in common with the OverwriteMBR campaign. The OverwriteMBR boot message is nearly identical to the one displayed when a hacker related to 'Peggle Crew' gained access to Fosshub and included threats inside files that were being distributed on this Web page. The threat that was inserted into Fosshub used an approach identical to OverwriteMBR, overwriting the infected PC's MBR and then displaying a custom message that is very similar to the one associated with OverwriteMBR. Computers infected by OverwriteMBR and similar threats become nearly impossible to repair, often requiring a fresh reinstallation of Windows.

Trending

Most Viewed

Loading...