Support NeoGAF

[EroticSushi]

Seems to be blowing up right now and has probably infected a lot of people at this point. There are GTAV mods are out right now that contain this stealth malware, Angry Planes and No Clip are the mods carrying it. Your Anti Virus program will NOT pick it up as a malware. The files have also been coming off as clean through various virus checkers but it's been confirmed to have been infected. It's integrated with the ASI and is tied to the source code.

It essentially feeds your log in info directly to the admin's hand. Your YouTube, PayPal, Steam, Twitch, Facebook, etc. Not only does this apply to any log in info that you typed out as you were infected but it also grabs your log in info for accounts already logged in at that time.

ckck over at gtaforums posted a very interesting analysis.

If you downloaded any the mods listed above, please check gtaforums on how to see if you are infected. You will also have to check your registry and change all your passwords. People are currently checking other GTAV mods right now.

http://gtaforums.com/topic/794383-malware-inside-angry-planes-noclip-mod/page-1

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

I was able to do a bit more sleuthing.

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.
It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.
According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.
The target of these attacks was:
http://www.twitch.tv...thedanishviking
77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module
Twitch spam/credential stealing module
Messenger.com spam/credential stealing module
A Steam spamming module
A Steam module that evaluates the items in your inventory and their value based on current market value
A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
A UDP flooding module
There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.
The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com
This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.


Tool used to investigate:
ProcessExplorer
WinDbg
Jetbrains DotPeek
Strings (https://technet.micr...s/bb897439.aspx)
Wireshark


IMPORTANT/TL;DR:
If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.

p.s. I will include some strings from the modules referenced above in the following post.

 

[Kayant]

Oh wow just when I said I would try some mods...

 

[etta]

The only thing I downloaded for it was Reshade and SweetFX, each from their official websites. This sucks, though. Shameless people.

 

[Dio Brando]

Damn, glad i didnt install any mods yet.

 

[jesu]

Sheeeit!
I'm in the clear, no GTAV or mods, but I take it it can steel you Lastpass details too.
I'd be gutted if it happened to me.

 

[Kinthalis]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

 

[Brerlappin]

The only mods that require an exe that id use would be standalone installers for something like Stalker Complete, I.e well known reputable stuff from Moddb.com.
If a mod needs an exe 9 times out of 10 I don't touch it. Mods should only ever really be copy & paste of data files

 

[daxgame]

damn that's terrifying, I don't even own GTA V though but I generally look for mods...

 

[The Janitor]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

But do you actually run an .exe when installing the mod? Because I thought the malware was hidden within the files.

 

[Tenebrous]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

The only mods that require an exe that id use would be standalone installers for something like Stalker Complete, I.e well known reputable stuff from Moddb.com.
If a mod needs an exe 9 times out of 10 I don't touch it. Mods should only ever really be copy & paste of data files

Easy peasy. People are just a tad daft, that's all.

 

[EatinOlives]

What a bunch of fucking assholes.

 

[Svartafaran]

Thanks for the warning OP, I was looking for mods earlier today but I didnt install any yet.

 

[menacin]

did scripthookV 1.0.350.2a have malware?

 

[KiraXD]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

holy shit... the mods were exe? yeah common sense tells you NEVER install or download exe that you dont know and trust with all your heart.

 

[Korezo]

So only mods that have a exe? Because I downloaded the Chromatic aberration removal mod, but have yet to extract or use it.

 

[N° 2048]

Just reading that makes me want to do a full malware/virus scan when I get home tonight and I don't even have GTA V for the PC. I think I will.

 

[Dick Justice]

Malwarebytes immediately caught and quarantined the trojan being carried by the Angry Planes mod when I used it. So it's not undetectable.

And no, the mods were not .exe files, but rather .asi files. Same risk though, obviously.

 

[Mad Season]

does scripthook contain malware?

 

[Dick Justice]

does scripthook contain malware?

No, just those two mods as far as everyone's aware.

 

[Windom Earle]

Goddamn, that sounds like a nightmare...

 

[MUnited83]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

The only mods that require an exe that id use would be standalone installers for something like Stalker Complete, I.e well known reputable stuff from Moddb.com.
If a mod needs an exe 9 times out of 10 I don't touch it. Mods should only ever really be copy & paste of data files

holy shit... the mods were exe? yeah common sense tells you NEVER install or download exe that you dont know and trust with all your heart.

So only mods that have a exe? Because I downloaded the Chromatic aberration removal mod, but have yet to extract or use it.

It's not only exes. Malware can be in .ASI files as well.

 

[I H8 Memes]

I wonder how many infected machines we are looking at. Or how likely they are to be found.

 

[stan423321]

Does anybody know why don't the AVs pick up on these?

 

[Dick Justice]

Does anybody know why don't the AVs pick up on these?

Malwarebytes caught it for me.

 

[JackHerer]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

It doesn't say anything about running a .exe

This is a trojan that is embedded in the .asi file. These mods you just drop in the games folder with the appropriate mod tools installed and it just works.

I have installed 3 or 4 mods but luckily didn't try either of the two mods known to be affected. I will be keeping a close eye on this but not gonna panic yet.

 

[Macrotus]

Wow... this is shocking.
I'm glad I haven't installed any mods yet.

I was also thinking of installing Skyrim soon which is backlogged and was considering to install mods for that game. But I guess I'll stay away from that too...

 

[BreezyLimbo]

Malwarebytes immediately caught and quarantined the trojan being carried by the Angry Planes mod when I used it. So it's not undetectable.

And no, the mods were not .exe files, but rather .asi files. Same risk though, obviously.

Yup thats the takeaway I got from this. If theyre .asi that probably means that when you launch the gtav .exe, they get loaded along with it.

 

[DOBERMAN INC]

Disgustingly nefarious,needs Workshop support.

 

[LiK]

Pretty horrifying

 

[EroticSushi]

I wonder how many infected machines we are looking at. Or how likely they are to be found.

Angry Planes is extremely popular and he was up to version 1.4 I believe. Thousands upon thousands of downloads.

 

[Durante]

If you are running some executable code (which could also be, say, a .dll a game loads) then you should be really sure you can trust it. Of course, it's ideal if the source code is available for inspection - trust but verify.

 

[Chesskid1]

Does anybody know why don't the AVs pick up on these?

yeah it was in that long post/analysis, i think (i don't know what this stuff means)

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

[Dick Justice]

Yup thats the takeaway I got from this. If theyre .asi that probably means that when you launch the gtav .exe, they get loaded along with it.

Exactly. People need to be wary of script mods that make use of .asi files. I believe that .lua files should be safe, but I'm not 100% on that. Mods like the police rebalance mod should be safe, because they simply change some values in the game's xml and meta files, they don't activate scripts and potentially unwanted .exes.

 

[Kadin]

So just to be safe, is Windows Defender (for 8.1) and Malwarebytes Anti-Malware still a good combo or is there something better to search and destroy for this type of stuff? I realize that this particular issue wasn't initially detected by an AV program but this is more general going forward.

 

[KiraXD]

It's not only exes. Malware can be in .ASI files as well.

i guess because its been a LONG time since ive been into modding. i actually have only ever been really into FFXI mods (change my looks and armor and colors and stuff which were pretty much .dat modding and replacing... lol.

 

[Tenebrous]

So just to be safe, is Windows Defender (for 8.1) and Malwarebytes Anti-Malware still a good combo or is there something better to search and destroy for this type of stuff? I realize that this particular issue wasn't initially detected by an AV program but this is more general going forward.

That should be more than enough for any moderately sensible PC user, yeah.

 

[Durante]

Exactly. People need to be wary of script mods that make use of .asi files. I believe that .lua files should be safe, but I'm not 100% on that. Mods like the police rebalance mod should be safe, because they simply change some values in the game's xml and meta files, they don't activate scripts and potentially unwanted .exes.

Any code is potentially dangerous -- if the game loads a Lua script file you are relying on the game's sandboxing being safe, which is not necessarily the case.

 

[KiraXD]

Any code is potentially dangerous -- if the game loads a Lua script file you are relying on the game's sandboxing being safe, which is not necessarily the case.

not as easy as modding data files and replacing them these days? im out of the loop.

 

[Dick Justice]

Any code is potentially dangerous -- if the game loads a Lua script file you are relying on the game's sandboxing being safe, which is not necessarily the case.

Perhaps, but I think it'd be a lot more difficult to obfuscate putting malware into a lua file. For instance, I'm using this mod right now.

With .asi files, you need to be able to decompile and look at the source code in order to ensure that it's completely safe.

 

[QaaQer]

Use a dedicated machine for sensitive info, preferably one that runs a niche os like Chrome or Linux Mint; and use your other machine for fun n games.

 

[jester_]

So just to be safe, is Windows Defender (for 8.1) and Malwarebytes Anti-Malware still a good combo or is there something better to search and destroy for this type of stuff? I realize that this particular issue wasn't initially detected by an AV program but this is more general going forward.

http://chart.av-comparatives.org/chart1.php

I would choose a different AV besides MSE if you are trying to be as safe as possible. Personally I love Bitdefender.
MBAM can run side-by-side with any AV.

 

[The Lone Courier]

Angry Planes is extremely popular and he was up to version 1.4 I believe. Thousands upon thousands of downloads.

Even IGN had a video showcasing it.

 

[Durante]

Perhaps, but I think it'd be a lot more difficult to obfuscate putting malware into a lua file. For instance, I'm using this mod right now.

Of course -- that's what I said in my first post about source availability. With script files, at least the source is always available. But you still need to look at it to be certain that it's safe.

 

[GifGafIsTheBestGaf]

that's some scary stuff, bunch of soulless bastards tbh

Just reading that makes me want to do a full malware/virus scan when I get home tonight and I don't even have GTA V for the PC. I think I will.

and this

 

[SirMossyBloke]

You never run an exe you got from a place you don't fully trust, that's just common sense.

Mods should be data files, and data files only. If it requires an .exe, you make damn sure you're downloading it from their website, you make damn sure the modder is known in the community, and you run the .exe through a malware/virus checker.

If you don't do any of these things.. well... this is what happens.

And also why things like the Steam workshop are a god send.

So should I or should I not be downloading the Cinematic Mod for Half Life 2? It uses an .exe.

 

[Thorgal]

Wow... this is shocking.
I'm glad I haven't installed any mods yet.

I was also thinking of installing Skyrim soon which is backlogged and was considering to install mods for that game. But I guess I'll stay away from that too...

you don't have to worry about Skyrim mods downloaded from Nexus

All of the mods are perfectly safe there .

So don't let this stop you from Modding Skyrim .

 

[Dmented]

http://chart.av-comparatives.org/chart1.php

I would choose a different AV besides MSE if you are trying to be as safe as possible. Personally I love Bitdefender.
MBAM can run side-by-side with any AV.

I use MBAM + Avira. It's a pretty decent combo. If you want to go super crazy use MBAM + Avira (real-time protection) + MSE (scans only, real-time protection turned off).

 

[SaganIsGOAT]

PC gaming 2spooky4me

 

[Übermatik]

Thanks GOD I have a shit computer and can't run GTA V.

Wait... *sob*

 

[TheAdmiester]

Just so you guys know, none of the mods listed were .exe files. Not EVERYone is stupid enough to fall for that. They were actually .asi files (a format used by the scripthook for the game) that executed and downloaded the keylogger whenever the scripthook booted and loaded the script.