Endgame Gear Accidentally Spread Malware in Its OP1w 4k v2 Mouse Configuration Tool

[Cpt.Jank]

A recent blunder by Endgame Gear reveals why it might be best to opt for gaming peripherals that don't make you download or install any software in order to configure your hardware. Recently, a Reddit user u/Admirable-Raccoon597 discovered that the driver for the Endgame Gear OP1w 4K V2 gaming mouse, which we reviewed in June, was infected with malware. Specifically, it had installed an API commonly used for key logging. The infected configuration tool was seemingly on the site for as long as two weeks—from June 26th to July 9th—so anyone who downloaded the tool between those dates may have unwittingly infected their system.

The malware, which is known as XRed or the Synaptics Worm, reportedly created a hidden folder on user PCs, which is how it was found by the Reddit user in the first place. According to Malpedia, XRed "exfiltrates sensitive system information—such as the MAC address, username, and computer name—which is sent via SMTP to hardcoded email addresses. It also incorporates keylogging functionality through keyboard hooking techniques." To its credit, Endgame Gear removed the affected download immediately after being notified by another Redditor via Discord, effectively ensuring that nobody else who downloads the tool should be infected by the same link again. This also confirms that Endgame Gear was as much the victim here, since it was not deliberately infecting users with malware.



Initially, it seemed as though Endgame Gear would try to downplay the severity of the attack by simply replacing the affected download URL on the product page, but the company later issued a statement detailing exactly what went wrong, the measures it has put in place to prevent it happening again, and how users should proceed to make sure their data is safe. According to the announcement, only the configurator on the gaming mouse's product page was infected, so if you downloaded the tool via the main downloads page or the brand's GitHub repository, there should be no concern. Endgame Gear recommends that users verify the authenticity of the configuration tool by inspecting the file: Open the .exe file properties and "navigate to the "Details" tab. Infected files will display "Synaptics Pointing Device Driver" as the "Product name," while clean files will display "Endgame Gear OP1w 4k v2 Configuration Tool". If you find that your computer has been infected by the malware, Endgame Gear recommends that you immediately delete the .exe, enable hidden folders, check for the presence of "C:\ProgramData\Synaptics" and delete it and its contents, and, lastly, run a full virus and malware scan.

The full statement from Endgame Gear reads:

Dear Endgame Gear Customers,

we are issuing this statement to inform you of an isolated security incident involving a malware-infected version of our Configuration Tool for the OP1w 4k v2 mouse. This compromised file was distributed unnoticed via the OP1w 4k v2 product page on our brand store between June 26th to July 9th on this domain only: www.endgamegear.com/gaming-mice/op1w-4k-v2.

What happened: During the period of June 26th to July 9th, a version of the Configuration Tool for the Endgame Gear OP1w 4k v2 wireless mouse, available for download on the OP1w 4k v2 product page, was found to contain malware. We have since removed the infected file.

Please note: This issue was isolated to the OP1w 4k v2 product page download only. All other official sources for our software and firmware, including our main Downloads page (www.endgamegear.com/downloads), our GitHub repository (github.com/EndgameGear), and our Discord channel, were not affected and contained clean files. No other v2 products or their configuration tools were impacted.

We became aware of this situation involving one of our product pages through online discussions. Following this, we initiated an internal review to better understand the circumstances and address any potential issues. A clean version of the affected file was immediately published as soon as we identified the situation.

Importantly, access to our file servers was not compromised, and no customer data was accessible or affected on our servers at any time.

As an immediate response, we thoroughly checked all our hosted software and firmware files for malware, confirming no other files were infected. While our investigation into the exact point of compromise is ongoing, we have already implemented, and continue to implement, several significant security enhancements:

Implementation of additional malware scans for all files both before and after upload to our servers (done)
Reinforcing anti-malware protections on our hosting servers (done)
Discontinuing product page-specific downloads and centralizing all software downloads to our main Downloads page (ongoing)
Adding integrity verification: Providing SHA hashes for all downloads to allow users to verify file integrity (ongoing)
Adding digital signatures to all our software files to confirm authenticity (planned to be implemented ASAP)

We sincerely regret this incident and deeply apologize for any concern or inconvenience it may have caused. For Endgame Gear, the security and trust of our customers are paramount. We are fully committed to continuously improving our security protocols to prevent such events from occurring again.

Recommended actions for affected users:

If you downloaded the Configuration Tool for your OP1w 4k v2 from the product page on our brand store between June 26th and July 9th, we strongly recommend the following steps:

Identify potentially infected files:

File Size Check: Compare the file size of your "Endgame Gear OP1w 4k v2 Configuration Tool v1.00.exe". A clean unzipped file is approximately 2.3 MB (zipped: ~1.1 MB). The infected unzipped file is approximately 2.8 MB (zipped: ~1.4 MB).
File Details Check: Right-click on the file in Windows Explorer, select "Properties," and navigate to the "Details" tab. Infected files will display "Synaptics Pointing Device Driver" as the "Product name," while clean files will display "Endgame Gear OP1w 4k v2 Configuration Tool".

Remove the infected file and associated malware:

Immediately delete the downloaded file if it matches the characteristics of an infected file or if you are in any doubt.
Check for the presence of the folder "C:\ProgramData\Synaptics" (after enabling hidden files in Windows Explorer via "View" -> "Show" -> enable "Hidden items"). If this folder exists, delete it and its entire contents.
Perform System Scan: Run a full system scan with reputable antivirus software to ensure your system is clean.

Download the clean version of the OP1w 4k v2 Configuration Tool from our official Downloads page: www.endgamegear.com/downloads.

If you have further questions or are uncertain of what to do, please contact us at help@endgamegear.com.

We appreciate your understanding and continued support as we work to strengthen our security measures.

Sincerely,

The Endgame Gear Team

View at TechPowerUp Main Site | Source

 

[cellar door]

Should be noted they still have no idea about the vector of attack.

 

[Baccala]

I'm always paranoid this is gonna happen when I use peripheral configurators from lesser known brands. But look at the bright side, when it comes to malware and opening you up to vulnerabilities, even the biggest names in the industry can ensure that youre never safe!

 

[lexluthermiester]

Should be noted they still have no idea about the vector of attack.

It was likely internal to the company and an employee is to blame.

 

[RaceT3ch]

At least they took responsibility and warned other people, as well as how to remove the malware.
Some companies will shift the blame saying "but you agreed to the terms of service and we aint responsible" or something else.

 

[pirty_waggen]

At least they took responsibility and warned other people, as well as how to remove the malware.
Some companies will shift the blame saying "but you agreed to the terms of service and we aint responsible" or something else.

tpu user typical build up nonsense.

 

[PixelTech]

Sure....
Welp, never buying from Endgame putting them on the black list.

 

[lexluthermiester]

tpu user typical build up nonsense.

What the heck was that nonsense?

 

[N3utro]

We have no idea how it happened, but dont worry you are safe