Malware Delivered Through Blender Downloads on Third-Party Sites

Malicious Blender files uploaded to third-party download sites have turned out to contain infostealer malware.

According to Bleeping Computer, the campaign is linked to Russia and delivers the StealC V2 malware through third party marketplaces such as CGTrader.

Blender is a powerful and popular FOSS video editor. It is capable of rendering in 3D and is used for animation, visual effects, and even virtual reality, video games, and entire movies. It has been used widely in the entertainment industry on films and shows like Spider-Man 2, Captain America: The Winter Soldier, Wonder Woman, and the Academy Award-winning Flow.

Bleeping Computer notes that the attack was able to run because many users enable the "Auto Run" feature. If enabled, the malicious download would automatically fetch malware from an external resource, then proceed to silently install and run said malware. The malware is designed to be persistent across reboots and even comes with a second infostealer, possibly as a backup.

The latest StealC malware is capable of exfiltrating data from over 23 browsers, more than 100 cryptocurrency wallets, and over 15 crypto wallet apps. It can also steal data from Telegram and Discord, as well as VPN clients (including OpenVPN) and mail clients such as Thunderbird. All this while bypassing User Account Control (UAC), a pop-up on Windows that prompts users to confirm any major actions such as installing new software or running programs as administrator.

Bleeping Computer specifically mentions the use of Auto Run as a key attack vector here and offers instructions on how to disable it, but there are a couple other possible points of defense in this scenario as well. For one, users should always get their software directly from the source (in this case, that means blender.org, which features a direct download link, or there's an official Snap available to Linux users). Users - particularly on Desktop - are also strongly encouraged to create a non-admin account and do their day-to-day work there. A non-admin account requires not just a basic "yes or no" pop up on Windows, but the user must also enter the administrator password. This would likely thwart a basic UAC bypass.

This attack illustrates the value of Defense in Depth, the practice of layering multiple levels of defense so that if one gets breached the others may still provide protection.