Continued monitoring #1
Comments
StuxVT
added
help wanted
|
I've just got a guy recommending this to me via discord from my friend's hacked account. He suggested me to "spend 10 minutes to review a Unity video game", which after further examination turned out to be a password-protected Can I help in some way? I can provide chat logs or malware sample for comparison. |
same my friends discord account got hacked they say its a " surprise gift" but I did some digging on it same website layout too but a different name
edit: reversed searched the image and it came from a game called "Fueled Up" zip SHA-256: c1f60951b0a48de7284b35271e6f1648f0fd5271e6524dc56c4090996f23e83d il try my best to report the website and the file to as many av vendors as I can |
|
@Blob43 thanks for this! its likely a new domain under the same actor -- i'll also report this to the same places and try to see if there's anything new in this version |
@rlidwka if you have a copy of the rar archive, you can message me on twitter or discord (@StuxVT on both) and we can discuss having you send it over. i can see if its the same actor or maybe something new / a different variant |
According to my friend the actor gave out a name "unrealberk" though I am not 100% sure if this is the actors name or it's lying. Already took care of the reporting, emailed both the server provider, domain provider, Malwarebytes, Google, Microsoft, etc.. And question how do you even deofuscate it? edit: The domain is registered 31 days ago |
|
@Blob43 New versions have reportedly started targeting Steam accounts and crypto wallets with the main developer making an announcement on their Telegram channel. They share plenty of screenshots There's many affiliates using the malware and some offering services for the fake game websites too. The buying and selling of accounts with Discord Nitro seems to be a big aspect but as to be expected a bunch of scammers sit in the channel and try to scam others of money by pretending to sell access to stolen accounts, so it's causing some arguments amongst members. Linn has been fairly quiet of late which has some complaining the current builds are being detected by AV and that some of the web hooks aren't working. |
|
Yes. I did saw the video (Thank you for your work!). It looks like discord is useless for dealing with this. 3 websafe vendors already classified it a phishing or malicious, I'm just praying to discord if they do something about it. I already tried to do the same thing you did (on a vm with flarevm) and I don't found anything on the call stack. |
|
Dang that's disappointing :( |
|
@JPMinty Thanks for your work as well on this, I also just watched your video! I wasn't aware that Duvetstealer was a thing as well. Perhaps a rename of the "Epsilon Group" variant or the real origin (not sure which came first) I have a few friends in the vtubing community overall that are actively aware of this now and funneling me new variants as they come up while informing non-compromised friends. (but the latest one 404'd before i could grab it) You're welcome to reach out to Blob, but if they're busy i also have a copy with the password. Pinged you on twitter if you'd like it |
@Blob43 yeah it seems that discord is extremely retroactive about responding to this. its likely do to the nature of the attack vector. social engineering is largely a user-level failure (which can be mitigated with informing them but not much else can be done so i empathize with the difficulty of solving it) They could lock reported accounts but I'm sure its very difficult resource-wise to keep up |
Yeah sure, I'll find the dm that the hacked friend sent me
|
https://forums.malwarebytes.com/topic/313972-try-my-game-scam-infostealer/ |
|
@Blob43 https[://]4[.]233[.]218[.]3 What you'd expect to see from one of these stealers.
Makes different requests to this and stealit[.]vercel[.]app so this looks to be used in the chain. Attached some of the de-obfuscated code that lands in memory. Still a mess, but you can see:
In case you're interested I had to add some lines to my launch.json file to enable attaching to the debugger properly. |
It appears to be a telegram group, looks like postings of a credit card info according to the js code thankfully my friend terminated their discord account |
and according to a triage sandbox it also sent a request to dpaste.com |
|
This is pretty old, but I just discovered this repository after digging into this malware myself. It seems to use a large array which is encoded/encrypted using crypto, ive been working at decoding it for the past few hours and haven't made much progress. Its very well obfuscated. |
@the-broz I recommend doing dynamic-analysis on it instead. This virus is written in electron, so you can set up an electron project and run the code yourself actually. (make sure to properly sandbox it in a vm or something, as of last time I checked this, there was no indication of an attempt at escaping the vm) If you drop a breakpoint on each line and let it run, it will eventually decode the second stage for you, and you can pull it from the program memory in the debugger. Feel free to message me on twitter or something if you need help |
Leaving this open as a way to discuss any future variants and and add information here
The text was updated successfully, but these errors were encountered: