File seems to have been hijacked by Pro-Russian Hacktivists.

[Art3mis-Ghub]

Hi,

As a standard safety procedure when downloading files, I scanned your .msi using VirusTotal.

The website showed it as 0/67 vendors or sandboxes having detected it as malicious, great, right? Looking into it further, there were actually three vendors that flagged it as malicious due to a win32 EXE packaged inside the executable. Going deeped and checking the graph, I noticed that it was a peexe file that was flagged three times as containing the following malicious files;

1. Trojan.Generic@AI.86 (RDMK:cmRtazpSj99M9AZhI5lQ3yyMaXqg)
2. Trojan/Win32.Tasker
3. Trojan.Tasker.ddv

Now, these can of course be false-positives if the file itself behaves in a way similar to the Trojan Malware, so nothing to be overtly concerned about, yet. Again, looking further into this I noticed that the Contacted IPs node is flagged, so naturally I checked it out, out of the five detected IPs only one was flagged, 13[.]107[.]4[.]52, now here's where it starts to get concerning. Last year numerous reports arose around the internet, flagging this exact IP as one used by Pro-Russian Hacktivists or ''TAs'' (Threat Actors) to ''jump'' malware across the net onto unsuspecting executables, and I'm afraid yours might be one of them.

This group, ''Killnet'' uses a modified version of the notorious ransomware called ''Chaos Ransomware'' and upon execution, this version of Chaos Ransomware will lock the owners PC and drop a note that contains links to a Telegram group filled with Pro-Russian propaganda as well a BTC address and contact information for the TAs.

Please, remove this file and quarantine it immediately to ensure that you, and others, do not get forced into financially supporting the Russian War effort.

[HazelnutCheese]

Hi I'm investigating this now. I built everything on my machine so if this is true then maybe my machine is infected or maybe one of the nuget packages I'm using is.

If I can confirm this issue for myself I will try to get rid of the affected files.

It looks like those links you have provided require an enterprise account on VirusTotal. I tried scanning the MSI myself and I can't see any graph or anything. Could you provide a screenshot of those pages or copy the information into a comment?

[HazelnutCheese]

Hi,

I believe this is a false positive.

I have changed the file publishing to no longer use "Produce Single File" so that all dlls are installed as individual files instead of packed into a single one.

I have scanned the new version (1.0.2) with VirusTotal and after creating an account I can see the graph. I compared the graph to the 1.0.1 version which I can see the PEEXE flag on and it no longer happens on 1.0.2.

If you have a chance it would be great if you could scan 1.0.2 yourself and just confirm that your satisfied the issue is resolved, thanks!

[Art3mis-Ghub]

Sure thing, below I have included two screenshots, the first one shows the IP itself and previous connections etc. including currently affected files(not just yours) I have chosen to include non-affected nodes as it also shows related reports (upped right nodes within the graph), the second one shows which file is affected and the viruses, and it shows a basic view of what is currenctly affected, your file as well as other files.

[Art3mis-Ghub]

Just to clarify, anything red is currently detected as containing (at least) one malicious file.

[HazelnutCheese]

Hi sorry I think we commented at the exact same time. Thanks for posting the images. Could you check my latest comment before that? Ty.

[Art3mis-Ghub]

on the left hand side you can also see that Metis Mod Launcher.dll seems to be the file within the exe that contains the parameters

[Art3mis-Ghub]

@HazelnutCheese I'll scan it again and see what happens, one sec

[Art3mis-Ghub]

@HazelnutCheese it seems to have been fixed now, so it was most likely a false positive :)