@@cyberraiju Hey thanks for replying :D I actually have a really big desire to also become a teacher on RU-vid. And believe me when i say this 2 years i could not controlled some situations as a result still 0 videos.... I hope maybe we can get in touch
Just wanna say it's a very good video because you just managed to make me focus during a malware analysis which is quite rare. You explained everything very well and in detail so thanks and you just got a new sub :)
Academically interesting, but the foremost problem there would be Microsoft Windows. And Discord. It's not like the data sent using Discord is safe at all. But at least running something like a Flatpak of a web-version Discord client provides some kind of sandboxing.
Unfortunately due to the support and ease of use, Microsoft Windows and Discord remain the dominant operating system and software of choice for gamers. That being said, I believe if the roles were reversed we would still begin to see creative ways of doing this against alternative operating systems and software setups.
Wow 😮 you're right 🤣 Maybe this is a default token regex in whatever was used to build the malware as an Easter egg and they forgot to change it, or it's an egg by the malware author. Either way you win the internet today for picking up on this! 👏🔥
@@cyberraiju It's not related to the malware in any way. It's used by Discord for their authentication tokens and the functionality related to saving them in a some-what secure manner.
Came across this video because i just got hacked. They impersonated someone i knew and said something about a game to try and comment. I was stupid enough to download it. Stupider not suspect anything. This video at least told me what they could have access to or what they did get access. Since everything was token they only had a one time access. I since have reformatted my pc and changed all my passwords to what i thought they might have access to. But it was very stressful and scary. I came across this video cause the hackers tried sending me screenshots which showed my info. But also the program duvet they used. Good video. Stay safe everyone
This video has been a wake up call. I could've been infected by this and would've had no way of knowing. I need to get clean up my opsec act, STAT! Thanks for a great in-depth analysis!
Jhon Hammond v2? Nice, that's a sub. This is done in a very minimal way, only the malware and nothing else, but since the app.asar file isn't signed you could take any standard electron app that is already trusted, unpack it, inject your malware into one of the legitimate scripts and pack it back together. AVs will have no way to tell other than maybe the installer and runtime monitoring. One of my friends used a similar technique over a year ago, undetected to this day afaik.
Thanks a bunch! Yeah anything which requires an interpreter to run will continue to be a thorn for years to come. It's a love hate relationship with high level programming languages 😆
So cool that you decided to analyze one of my samples! Been tracking the C2s of this malware for a while, writing any YARA rule has been so difficult due to this crazy amount of obfuscation.. These electron based stealers have been appearing on Telegram lately, and seem to be the same exact malware just with different names.
Awesome work! Thanks again for sharing this one. I was definitely thinking in the back of my mind some of the ways a Yara rule could be created for it, especially when it's all packed. Are they changing the GUID in the NSIS installer? Or maybe targeting the obfuscation in the electron app itself is the way to go. Definitely a pain.
Oh no 😯😕 No, not that I'm aware of because it's very much targeting Discord so replication to a removable device doesn't seem to be a goal or anywhere I've seen in the code. That being said I haven't thoroughly gone over the script that appends to an infected Discord instance to see whether that included any logic to spread to other drives.
This malware seems to be going around by a lot of names but using the same website design and fake game. I saw it under the name of "Planets Therapy" on a video from The PC Security Channel.
Thanks for the heads up! I'll have to give it a look over and see what I can find. I think the main issue with naming it after the game it is pretending to be is it means it will probably get lots of different names. If it's based on something in the code itself that's unique or its behaviour it's more likely (hopefully) to be identified no matter what theme it's using in the future.
@@Nine_Divines there is a msi motherboard vulnerability if you dont enable maximum security its compability mode by default and it could get malware loaded into bios.
The keyword is 'could', but just because Secure Boot wasn't enabled doesn't mean this malware is being loaded inside the bios. For that to happen the malware would be dropping other specially crafted files or modifying specific files which then act as Bootkit or Rootkits, and this is a lot more challenging to get right than to just run the malware on your system 🙂
@@WitherForgeNot technically impossible, but the odds you specifically were targeted by such a sophisticated attack without anyone else raising the alarm is practically zero. You probably just ran something malicious without knowing it was.
Awesome. Thanks a lot. Just a feedback - If you open analytics of any video through RU-vid studio, you will find that mobile and desktop both users watches the videos. So from the next time please try to zoom more on the display so content gonna be perfect for all. Example: John Hammond's videos.
Thanks a bunch! The irony is these analytics are hidden on mobile so I couldn't see them. I can see them now and will keep this in mind for future videos. Cheers!
14:26 - Interesting how they check for a VM... just by calculating if the total amount of memory is smaller then 2GB. And why does he check the hostname against a blacklist? Just to prevent the virus running on the pcs of his "crew" or "family"? these names look really weird to me... And killing debuggers to prevent people reverse engineering his code?
The hostname check is likely known names used by online sandboxing tools. That way if someone was to upload it to free publicly available tools to perform dynamic analysis it would just exit and not perform the malicious activity which then makes it look clean to the online sandbox.
Oh no 😰 That's not good at all! Guess it may be time to change all your Discord credentials, log out of all Discord sessions and reinstall Discord on your system 😞
@@cyberraiju yeah I ran malwear bytes but after watching this I feel like I should. Reinstall. But I talked to some other victims of. “ARENA WARS” and they told me only there discord was compromised. But I swear on my lunch I saw a bot for discord. That had that same name in those exe files you where looking in.
I'm sorry to hear you had to go through that man 😞 Feel free to flick me a message if you're on any platform I'm on and can. I'm guessing it was a case of someone DMing you on Discord asking to play a new game, or a friend on Discord asking you to which had already been infected? 😬
For navigating A/B comparisons I highly recommend Beyond Compare, can diff folder trees and compressed formats and even binary so you can drill into the diffs by just clicking what you want to see diffed next.
cheers. Will have to sub on a few accounts :) - I too, initially thought you were Jon hammond at first glance ( the thumbnail) Semi similar features within the same genre. Anywho , good on y!
This is super interesting! The actor definitely put a lot of time into the front of the malware to make it seem legitimate. Great breakdown of everything. New sub here!
Absolutely! The juice is obviously worth the squeeze to someone that they're putting in more than your standard effort. Thanks for the kind words and the sub!
I appreciate how you explain every step, and especially every assumption and thought process you went through while analyzing this, and the information you used to come to those conclusions; extremely thorough and helpful.
Thanks so much! As someone who does this on the side for free, it can sometimes be difficult to know if the hours spent are turning into a video others enjoy and learn from or not, so comments like this are definitely valued 😄
Not really 😅. There's a number of channels which have great content, but it's not really inspired by any one. It is a unique style which is still being fleshed out, driven by my years of experience in both the industry and presenting publicly 😆
I don't mind technical videos about Windows, but when it comes to security some kind of acknowledgement that this is not a video about an open-source operating system, would be reassuring that you are helping non-technical users who don't know the difference. (Notice I tried to be unbiased by avoiding mentioning which open-source operating systems I prefer to use myself. 😉)
