- Russian hackers take advantage of Blender’s autorun feature to deliver StealC infostealer via .blend files.
- Malware is distributed via CGTrader resources that collect payloads from Cloudflare Workers domains
- The StealC variant targets browsers, crypto wallets, chat apps and VPN clients without being detected.
Blender has a useful but risky feature that experts say is being exploited by Russian hackers to spread the Infostealer malware.
Cyber security researcher Morphisec has observed attacks in the wild and has urged designers and other professionals to be vigilant.
Blender is an open source 3D creation package widely used by artists, animators, game developers and studios for everything from modeling and rendering to visual effects. There’s also CGTrader, a marketplace where 3D artists and designers can buy, sell, and share user-generated models and assets for their projects.
Significant impact
Morphisec now claims that Russia-linked cybercriminals uploaded .blend files with embedded Python code to CGTrader.
The code downloads a malware from a Cloudflare Workers domain, which in turn downloads two ZIP files. These offer two payloads, including a StealC infostealer and an additional Python stealer, presumably as an option.
Of course, the Python code must be enabled. This is where the “convenient but risky” feature comes into play. It’s called AutoRun, and with it enabled, when a user opens a character, the script automatically loads custom face controls and UI panels, then triggers the distribution of the malware.
StealC is a popular information thief that has been around for several years and has been involved in many high-profile campaigns. It’s also constantly evolving, with newer versions improving its endurance, stealth, and information theft capabilities.
This latest variant used in this campaign can collect data from over 20 browsers, 100+ cryptocurrency wallet browser extensions, 15+ cryptocurrency wallet apps, most chat apps and VPN clients.
IN BeepTeam