Malware inside Angry Planes & Noclip Mod

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

You aren't supposed to remove userinit.exe from Registry.

https://technet.microsoft.com/en-us/library/cc939862.aspx

So am I clean? This is in my Registry:

 

 

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

you can be absolutely sure that formating is going to erase it

 

Ok thanks.

How to check for its presence?

Need to imput some special type of scan to my antivirus?

I also heard you can check for the fade.exe and others on your own, but how?

Simply using the "SEARCH" feature in windows?

Also last question. Can i move some files from documents (GTA V SAVEGAMES) to an other drive without transporting the virus.

I know...i'm a virus n00b but i'm super anxious right now :S

C:\Users\yourname\AppData\Local\Temp

check for the file here but i'd advise just to format and change passwords it's the safest route

Prehaps it's time for OpenIV to be open source.

No thanks.

I installed the planes mod and now I'm concerned. I deleted the files but have not found fade.exe nor has my anti virus picked up anything. I did find however that the registry files (userinit and shell) were there. Is there anything else i have to do to remove the virus on top of deleting trhe registry entries and the .asi file?

Looks to be a pretty weak attempt to steal information. From what it looks like if you used the mod and never rebooted, the malicious files shouldn't be in Windows memory anymore, since the attempt to run the executable was from a lame Windows Shell hook. Pretty stupid of the mod developers, all they got out of it was their vilification from all GTA-related communities. Also assuming they weren't smart enough to hide their identity in any place the scripts were uploaded.

Also that angry planes mod was really sh*tty. The effect was funny, but the programming was absolutely amateur.

A lesson is learned, with a community as immature and malevolent as GTA's, you should never run obfuscated code downloaded from untrusted sources. Hopefully GTA5-Mods goes through with their plan for stricter mod reviewing. It'd be safest just to ban the upload of any pre-compiled code.

Is it possible that this malware was only added in later versions of the script? As I have the first release version and I can find no trace of the fade.exe, the game doesn't start in windowed mode, there is no csc.exe running in the background and there is no trace of the added "shell" that linked to it, as the op posted

 

 

So is it possible this was added in a later version? I never had the noclip mod installed so i cant say for that. But i run the game right after i read this to make sure that it wasnt running in the background and I've had it installed and running for a few weeks now

no that cannot be possible as fade.exe is in my quarantine since day 1 this was may 8th and i am usually quick with testing and showing mods

So what do you do if you do find Fade in your temp? What's the best way of deleting it?

you should never run obfuscated code downloaded from untrusted sources

This code is not obfuscated. Still, how would a regular user find out? Can't expect people to RE mods before they install them.

Well apparently deleting userinit means you cannot logon next time you try.

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

I was able to do a bit more sleuthing.

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

asi shows clean because antivirus has no signature match , so it goes into dynamic analysis i.e. emulating library execution and finds still nothing because this stuff is called only when script starts ingame (no proper environment for antivirus) , so there will be signatures in av bases soon for the downloader function inside asi , signatures for logger which it is downloading are already in 1/4 of antiviruses

Is the downloader function working through GTA5.exe?

If so, is it means I won't be infected if I blocked GTA5.exe in my Windows firewall since the trojan couldn't get the keylogger exe from hacker's site?

I've made a cracked copy of the game for playing mods while keep my legal copy clean for playing Online. And I blocked the cracked GTA5.exe from reaching internet.

I didn't found either fade.exe or init..exe, and nothing in my AV history.

And now let's call spiderman to get that douchebag!

I didn't find any trace of the fade.exe nor registry keys in my computer. I only used the noclip. I uninstalled the mod.

Am I safe from it? I ran cCleaner few hous ago and I didn't know about it then. Even if the program was there and now gone, if there's no registry entries then I should be good? I use both Malwarebytes and ESET and they never alerted me.

p.s. I will include some strings from the modules referenced above in the following post.

Great analysis! Thank you

That's some real, real, real f*cked up analysis.

Still, we need to go deeper xD

Great job

p.s. I will include some strings from the modules referenced above in the following post.

@ckck Thank you for that information - I can confirm that both Angry Planes and No Clip were uploaded by IP addresses from Denmark.

Deleted the folder that Fade.exe was in. Is my registry good or do I need to delete anything?

 

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands.

 

If my antivirus picked it up before all my password changes, am I fine?

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

 

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

 

I was able to do a bit more sleuthing.

 

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

 

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

 

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

 

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.

The target of these attacks was:

http://www.twitch.tv/brianthedanishviking

77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module

Twitch spam/credential stealing module

Messenger.com spam/credential stealing module

A Steam spamming module

A Steam module that evaluates the items in your inventory and their value based on current market value

A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)

A UDP flooding module

There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.

The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com

This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.

Tool used to investigate:

ProcessExplorer

WinDbg

Jetbrains DotPeek

Strings (https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx)

Wireshark

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.

p.s. I will include some strings from the modules referenced above in the following post.

 

what is fade.exe was detected and quarantined

Epic analysis. How do we know whats wrong in the registry and what to remove?

Was someone using us to get more visitors to their Twitch page?

Delete all files in this folder C\Users\YOU\Appdata\Local\Temp and problem solved. Now scan your pc.

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

Was someone using us to get more visitors to their Twitch page?

i would think someone was using people to flood a twitch page to attack someones stream

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

I downloaded mine from here:

www.gtaall.com/gta-5/mods/60829-noclip.html

And i don't have any "fade.exe" in my temp folder

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine.

What should we look for in the registry? I've searched for both the types of .exe and found nothing, is there anything we should be looking out for? I'd like to be 1000% in knowing it's not running/removed + clean from the reg before changing all my passwords for obvious reasons

Does anyone else have an idea if this would steal PuTTY sessions?? I've been SSH'd on my servers/clients servers all day with bloody work...

Strings from one of the running Twitch module:

Strings from the running Steam Inventory evaluation module:

Strings from the Facebook information stealing module:

If you have any questions or requests let me know and I'll see if I can figure out more. I don't have a ton of time to spend on it as my lunch break is over.