Malicious Blender model files deliver StealC infostealing malware

Cybersecurity researchers Morphisec observed the attacks in the wild and urged designers and other professionals to be vigilant.

Blender is a widely used open source 3D creation suite popular among artists, animators, game developers, and studios for everything from modeling and rendering to visual effects. There is also CGTrader, a marketplace where 3D artists and designers can buy, sell, and share user-generated models and assets for their projects.

Significant impact

Now, Morphisec says it saw Russia-linked cybercriminals upload .blend files with embedded Python code onto CGTrader.

The code pulls a malware loader from a Cloudflare Workers domain which, in turn, pulls two ZIP archives. These deploy two payloads, including a StealC infostealer and an auxiliary Python stealer, likely as a fallback.

Obviously, the Python code needs to be triggered. That is where the “convenient, but risky” feature comes in. It is called Auto Run, and if it is enabled, when a user opens a character rig, the script automatically loads the facial controls and custom UI panels and, consequently, triggers the malware deployment process.

StealC is a popular infostealer that’s been around for years and was observed in numerous high-profile campaigns. It is also constantly in development, with newer versions getting better at persistence, stealth, and infostealing capabilities.

This latest variant, used in this campaign, can pull data from more than 20 browsers, more than 100 cryptocurrency wallet browser extensions, more than 15 cryptocurrency wallet apps, the majority of chat apps, as well as VPN clients.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.