I did the same thing to someone who attacked my gf in high school. They got her with subseven which was extremely easy to remove. Rather than just erase it, I took a copy home with me and analyzed it. Running the strings command uncovered the subseven signatures.. Turns out there was tooling that allowed you to modify the binary and redistribute it. Except the binary had an ICQ address to alert him to my gf’s online presence. He also had his AIM screen name, full name and city in his profile.
So I socially engineered him by posing as a classmate. I told him I was going to come by to get the homework for English. He wasn’t sure but I somehow convinced him and got his address. I don’t know why they always talk to strangers, but just like the article the dude responded. I got my friend and we went to pay him a visit.
Rang his doorbell, “hi is this l33th4x0r?”. He nodded but had no clue who I was. I mentioned my gf’s screen name and you could see the color leave his face. He stuttered and stammered about how he was just playing and didn’t mean to cause any problems. I said some stern words then left him wondering wtf I was and what just happened.
Kinda wish I saved the details (screen name, address, etc) just because of how epic it was at the time
I had fun with people on forums trying to get others to download keyloggers and the like. A lot of these were the stereotypical "script kiddies" who didn't know how much personal data they were giving away or even how the tools they used worked. I distinctly remember a few "C:\Documents and Settings\<uncommon first and last name>\...", from which I could find and sometimes phone them (often their parents would answer), but I drew the line at doing anything physical --- they were all far away anyway.
The most interesting results include apologies; one kid's father registered on the forum to post one for his son. Spamming a keylogger's logs with the physical address of its owner and "I know where you live" tends to cause them to repent in fear pretty quickly.
I used to just DDOS people’s AIM and messengers if they crossed me, as a phantom curse attached to them and they had no idea the cause.
I would chat with them as normal at the same time, chuckling to myself as they kept falling offline following a barrage of emoticons and requests from my army of chat bots that made their process run out of memory.
Eventually I’d bore of it. Or have one of the chatbots tell them not to cross someone again. In your scenario I probably would have said it was the person he got the exploit from, instead of making a link to someone I care about.
It's always PirateStealer, probably because it's open source so it's easy for people to pick up and use instead of exerting effort. Also, you can send a DELETE request to a Discord webhook without any auth, defusing the malware.
I'm still glad the DELETE thing works, I've reported a few times these with a complete writeup to Discord and all I got was a ticket being auto-closed after a month and the webhooks+servers still being up. I personally no longer bother reporting, just straight delete the webhook to stop the spread. Makes you wonder what their security/support team is doing with all those tickets.
Yes, you can send a DELETE to a Discord Webhook, but these malware projects have clocked on in most situations and now forward Webhooks through their own domains.
For the example of PirateStealer, the kid who made it ran a website where you posted your webhook and it spat out an exe that hid your webhook behind the domain, they even sold "premium" copies with additional security but in reality once they put the webhook behind their own domains they were dual-hooking, so the information was actually sent to 2 webhooks instead of just the 1.
Most of the services to create this malware now hide it behind a domain rather than directly exposing the Webhook, so shutting it down isn't as easy.
Interesting article, but this type of malware has been spreading for months now. PirateStealer is definitely the most popular but it's been shutdown a few times by a discord group who are targeting this type of malware.
One of the tools they've built is https://sketchy.tel/ which can decompile piratestealer/extrack/bby.rip and more and shuts down the Webhook automatically.
There's a lot of other things we do in this community but I can't disclose it because we never know who's reading our messages and if they get found out the malware creators will adapt to stop us.
Malware detection relies on signatures and/or heuristics. Signatures won't work with a brand new malware that hasn't been seen before. Heuristics can also be defeated.
Antimalware is great for the low hanging fruit but don't expect it to detect something where the author has put effort into it.
As the maintainer of a moderately popular Minecraft mod, I deal with “ratted” versions all the time. They are often obfuscated with popular free tools that can be reversed, and they always seem to use Discord webhooks that can be instantly deleted. I’ve seen hundreds, and they never seem to evolve in their methods, thought there have been some really nasty ones.
I don't know the specifics, but I'd assume not, Discord has made big steps recently in stopping this sort of malicious activity by adding the "Report Spam" feature as well as creating their own phishing link database to help detect spam in private messages.
Discord knows it's a big issue and I'd hope they've attempted to mitigate the malware but there's no way to stop the actual injection, so really all they can do is code shuffle frequently to make the injected code redundant, but that'd rely on doing releases frequently and hoping everyone updates just as frequently.
I don't know what the redirect was but given the article is behind the Medium paywall, if it was a t.co redirect, it was probably the submitter's way to let everyone skip the paywall.
Our discord got hit by the same shit, targeted at our game admins.
We are the largest open source multiplayer video game on github, so (compromised) discord friends sending admins messages about "games they made" with exes in them was more effective then it should have been until news and announcements went out.
Why did you redact the identity of the scammer? Please name and shame them! These people need to be called out and it seems like you’ve got irrefutable proof.
These posts show up on every thread like this and it always strikes me as off. It's not that I think the scammer here deserves protection, but the impulse to "name and shame" makes me very uncomfortable.
I worry that supporting that impulse, even in cases like this, normalizes the use of internet lynch mobs to exact "justice" (for any subjective value of "justice" that can get enough steam).
Hey, I was not expecting a French speaker here :D Merci de ton commentaire ;) I'm just a beginner in malware analysis and I tried my best to give a starting point to people like me :)
grepfru_it|4 years ago
So I socially engineered him by posing as a classmate. I told him I was going to come by to get the homework for English. He wasn’t sure but I somehow convinced him and got his address. I don’t know why they always talk to strangers, but just like the article the dude responded. I got my friend and we went to pay him a visit.
Rang his doorbell, “hi is this l33th4x0r?”. He nodded but had no clue who I was. I mentioned my gf’s screen name and you could see the color leave his face. He stuttered and stammered about how he was just playing and didn’t mean to cause any problems. I said some stern words then left him wondering wtf I was and what just happened.
Kinda wish I saved the details (screen name, address, etc) just because of how epic it was at the time
userbinator|4 years ago
The most interesting results include apologies; one kid's father registered on the forum to post one for his son. Spamming a keylogger's logs with the physical address of its owner and "I know where you live" tends to cause them to repent in fear pretty quickly.
vmception|4 years ago
I would chat with them as normal at the same time, chuckling to myself as they kept falling offline following a barrage of emoticons and requests from my army of chat bots that made their process run out of memory.
Eventually I’d bore of it. Or have one of the chatbots tell them not to cross someone again. In your scenario I probably would have said it was the person he got the exploit from, instead of making a link to someone I care about.
easrng|4 years ago
Fabricio20|4 years ago
tisryno|4 years ago
For the example of PirateStealer, the kid who made it ran a website where you posted your webhook and it spat out an exe that hid your webhook behind the domain, they even sold "premium" copies with additional security but in reality once they put the webhook behind their own domains they were dual-hooking, so the information was actually sent to 2 webhooks instead of just the 1.
Most of the services to create this malware now hide it behind a domain rather than directly exposing the Webhook, so shutting it down isn't as easy.
izanagi1995|4 years ago
I just published on Hackernoon for the non-Medium members: https://hackernoon.com/about/thedevopsguy.
Also, you can find me on Twitter: https://twitter.com/a_devops_guy and Discord: https://discord.gg/FKuAky4K8M
woodruffw|4 years ago
[1]: https://github.com/Stanley-GF/PirateStealer/issues?q=is%3Ais...
Handytinge|4 years ago
It really hasn't changed.
https://github.com/Stanley-GF/PirateStealer/issues/53
tisryno|4 years ago
One of the tools they've built is https://sketchy.tel/ which can decompile piratestealer/extrack/bby.rip and more and shuts down the Webhook automatically.
There's a lot of other things we do in this community but I can't disclose it because we never know who's reading our messages and if they get found out the malware creators will adapt to stop us.
thih9|4 years ago
Note that, though rare, some malware can escape from a VM: https://en.m.wikipedia.org/wiki/Virtual_machine_escape
FastEatSlow|4 years ago
technion|4 years ago
teetertater|4 years ago
nisegami|4 years ago
hacsky|4 years ago
gostsamo|4 years ago
Nextgrid|4 years ago
Antimalware is great for the low hanging fruit but don't expect it to detect something where the author has put effort into it.
praash|4 years ago
spyder|4 years ago
reubenbond|4 years ago
jer0me|4 years ago
b_u_n_n_y|4 years ago
Mashimo|4 years ago
timwis|4 years ago
tisryno|4 years ago
Discord knows it's a big issue and I'd hope they've attempted to mitigate the malware but there's no way to stop the actual injection, so really all they can do is code shuffle frequently to make the injected code redundant, but that'd rely on doing releases frequently and hoping everyone updates just as frequently.
diogenesjunior|4 years ago
petercooper|4 years ago
malf|4 years ago
stanley1337|4 years ago
MrStonedOne|4 years ago
We are the largest open source multiplayer video game on github, so (compromised) discord friends sending admins messages about "games they made" with exes in them was more effective then it should have been until news and announcements went out.
donkarma|4 years ago
chana_masala|4 years ago
m1117|4 years ago
hankman86|4 years ago
lolinder|4 years ago
I worry that supporting that impulse, even in cases like this, normalizes the use of internet lynch mobs to exact "justice" (for any subjective value of "justice" that can get enough steam).
oh_sigh|4 years ago
Not saying the author is a liar. But it sounds like you want to go on a crusade for them after just finding out they exist.
smorgusofborg|4 years ago
Or is that irrefutable proof of who was one of their victims?
caaqil|4 years ago
This is cute, but it's important to lose this naïveté/innocence if you want to analyze more sophisticated malware in the future.
izanagi1995|4 years ago