DLL to disassemble

[khallmark]

Any way we can get a copy of the hacked DLL to do some decompilation?

[DJMadcopp33-github]

I haven't tried using this, so obviously be completely careful, there's this person and some others who have uploaded the folder to this reddit thread. Also according to a VirusTotal scan, the file in question is named fastmath.dll. Would love to hear what you got from this. And obviously handle with care, as this is as you are aware a potentially malicious file.

[GerkinDev]

I've just decompiled using Ghidra, it looks like a ransomware at first glance

[k0mraid3]

I've just decompiled using Ghidra, it looks like a ransomware at first glance

Anyway you could put up a repo with the offending files for general research? I'd like to have a look at it as well but the linked file above is now gone.

[k0mraid3]

Any signs as to what its targeting or looking for? My guess would be its looking to exploit some 0day or kll chain on a certain subset of systems - but still need to look at the file

[GerkinDev]

It seems allowed by github (https://docs.github.com/en/site-policy/acceptable-use-policies/github-active-malware-or-exploits), I'll create a repo with it in a few hours, I'm not @ home rn

[k0mraid3]

It seems allowed by github (https://docs.github.com/en/site-policy/acceptable-use-policies/github-active-malware-or-exploits), I'll create a repo with it in a few hours, I'm not @ home rn

Can you drop the link here when you get it up? Thank you sir!

[GerkinDev]

Here you are: https://github.com/GerkinDev/CS2-traffic-0.2.3-malware

[DJMadcopp33-github]

I've just decompiled using Ghidra, it looks like a ransomware at first glance

I'm not very smart when it comes to the Cybersecurity side of things, most I have done is run Kali Linux on a VM. What makes you believe it's a ransomware compared to a keylogger which most have made us to believe? I'm not really wanting to try work with it in my Kali VM as I don't know how to install Ghidra and don't exactly know what I'm doing, but since you've already done it, I'm just asking your opinion on it.

[THROATPIES]

Collection of Scan Results

Virus Total has deduced its

Stealc malware.

[matfax]

It's a crypto stealer, targeting Exodus Wallet.

https://www.virustotal.com/gui/file/8c6c3f9b3fd8497322cd9e798790aa3485a44f9c5418bb4aa97b630a3fb8cead

[UnconnectedBedna]

I have been trying to find this information but PDX seems reluctant to provide: How was this malware able be uploaded to the PDX platform? Was THIS repo or the Dev of this repo hacked, or was the PDX platform itself breached?

In other words, who was responsible for this happening? PDX subtly blamed this dev in their initial posts, not directly, but reading between the lines. I am not trying to cast shade on anybody, but when something like this happens, it is imperative full disclosure and information on implemented changes to stop it from happening again.

[matfax]

The author's credentials were compromised. It's not Paradox's platform. It's not this repo. Revealing more about the circumstances might not be in the best interest of Paradox and/or the author.

[UnconnectedBedna]

Yes, that is what they say. But that does not answer the question witch IS valid for users to evaluate trust.

What I am asking here, IS sensitive, I get it and I walk on eggshells here: HOW is it known that the security flaw was the developer and not Paradox?

If it is confirmed the dev was the victim of intrusion, I feel for him, got to feel fkn shitty, but stuff happens, I don't blame him. What WOULD concern me though, is if Paradox had flaws in THEIR security that then caused this to happen, then it is no longer "one dude creating a great mod", its a corporation.

[matfax]

Assuming the attackers had access via a vulnerability at Paradox, it would be unlikely that they only targeted this mod. It was foreseeable that the breach would be identified in time, and that this would reduce their future chances in other mods. They targeted multiple mods from another user on another platform. That's inconsistent behavior under this assumption.

The only question I would raise is if Paradox added additional review mechanisms before mods are rolled out to the community. Most platforms, even outside the gaming space, don't have any such mechanisms though. Once a GitHub release is released, it's visible to everyone right away.

In this case, the illegitimate upload was identified by a community member. A vigilant community is the best you can get. You can catch viruses everywhere, so it's best to minimize the damage proactively by hardening your systems and separating vulnerable information.