LCVR Thunderstore/NexusMods Malware

[Graystevo]

Running the mod version 1.0.1 from thunderstore (which is no longer available now) caused the entirety of the game to no longer launch, and it forces steamVR into throwing errors for all other applications. Fresh installs of all the above don't seem to matter, leading me to believe something else was changed by this. Verified with another user who also had identical problems to me in the group.

EDIT:

Upon further digging, it seems to have corrupted some windows .net files. Here is a screenshot of the steamvr error code

[DaXcess]

Hey there, I'm really sorry that this happened but the mod on thunderstore was an impersonator and the mod you downloaded was malware.

I would highly suggest you to change your password on all your accounts since they might be compromised. I'll try and see if I can get a hold of the malicious mod file and see if I can reverse engineer it and see the damage that it has caused.

[Graystevo]

I can send you an import profile code for r2 that had the mod in the pack.

[DaXcess]

I can send you an import profile code for r2 that had the mod in the pack.

Oh that would be awesome!

[Graystevo]

I can send you an import profile code for r2 that had the mod in the pack.

Oh that would be awesome!

I believe this import code has the malware file in it. Don’t use it if ya don’t want malware lmao. I imagine it’s only activated by the game being run with the mod enabled, but I can’t really confirm that.

018cc34a-529e-4350-2c5f-e83521cb672c

[DaXcess]

Hmm there don't seem to be any downloadable files, could you send the profile over a DM on Discord? My acc is @rodabafilms

[DaXcess]

Hid a few comments to clear up this space. I'll try and post updates in here for when I find out more about the malicious mod that was uploaded to Thunderstore.

[DaXcess]

The malware appears to be an open source RAT named Quasar. The C2 server is located at 146.70.51.74:4782 (TorGuard VPN with port forwarding). I believe this malware is completely fileless and uses the registry to store the payload and task scheduler for persistence.

Here are the IoC's that you can use to see if you have been infected (and if you clear them all the malware should be gone)

[AyOhEe]

Has the mod been taken off of thunderstore yet? This is rather concerning.

[DaXcess]

Has the mod been taken off of thunderstore yet? This is rather concerning.

Yes it was taken offline before I even knew about it

[alexderpyfox]

can this be removed with malwarebites?

[DaXcess]

can this be removed with malwarebites?

Not sure, I myself am not using any Antivirus so I don't even know if it's detected (since this malware is fileless). You could however check for indicators of compromise (my comment in this issue with the images), and deleting the scheduled task and immediately rebooting should get rid of the persistence (kills the malware).

Good Antivirus should detect this however.

[DaXcess]

Not much happened with this lately but I've got some updates about this.

The malware appeared to be a special modified version of Quasar named SeroXen. This malware is much more complex than expected, and contains an entire rootkit that makes itself hidden (so if you were infected and you looked in the places I put in the screenshots you might have seen nothing even though you were infected).

So some user bought this software and created an infected version of LCVR with it. The owner of SeroXen (different person) contacted me and informed me that they have banned the user (there is no real way to confirm this, but I have noticed that the C2 server seemed to be offline since).

I have created a tool to identify and delete SeroXen from your system. You can find it over here. It will attempt to remove the malware, but some system modifications might not be reverted.

An action you can take to possibly prevent being infected by such a trojan again is setting your User Account Control security level to Maximum like this:

This would have stopped the malware, as long as you pressed no on this UAC prompt:

Not only SeroXen, but a lot more types of malware use these kinds of UAC bypasses, so if you see such a popup (even if it says it's an app from microsoft), do not click yes unless you explicitly requested to run the program/make the requested system modification.

[DaXcess]

Closing and unpinning this. The storm is over and the mod is being prepared for a Thunderstore upload, so the Thunderstore warnings will no longer apply soon.