@@cyberraiju Hey thanks for replying :D I actually have a really big desire to also become a teacher on UA-cam. And believe me when i say this 2 years i could not controlled some situations as a result still 0 videos.... I hope maybe we can get in touch
Just wanna say it's a very good video because you just managed to make me focus during a malware analysis which is quite rare. You explained everything very well and in detail so thanks and you just got a new sub :)
Academically interesting, but the foremost problem there would be Microsoft Windows. And Discord. It's not like the data sent using Discord is safe at all. But at least running something like a Flatpak of a web-version Discord client provides some kind of sandboxing.
Unfortunately due to the support and ease of use, Microsoft Windows and Discord remain the dominant operating system and software of choice for gamers. That being said, I believe if the roles were reversed we would still begin to see creative ways of doing this against alternative operating systems and software setups.
Wow 😮 you're right 🤣 Maybe this is a default token regex in whatever was used to build the malware as an Easter egg and they forgot to change it, or it's an egg by the malware author. Either way you win the internet today for picking up on this! 👏🔥
@@cyberraiju It's not related to the malware in any way. It's used by Discord for their authentication tokens and the functionality related to saving them in a some-what secure manner.
Came across this video because i just got hacked. They impersonated someone i knew and said something about a game to try and comment. I was stupid enough to download it. Stupider not suspect anything. This video at least told me what they could have access to or what they did get access. Since everything was token they only had a one time access. I since have reformatted my pc and changed all my passwords to what i thought they might have access to. But it was very stressful and scary. I came across this video cause the hackers tried sending me screenshots which showed my info. But also the program duvet they used. Good video. Stay safe everyone
This video has been a wake up call. I could've been infected by this and would've had no way of knowing. I need to get clean up my opsec act, STAT! Thanks for a great in-depth analysis!
Awesome. Thanks a lot. Just a feedback - If you open analytics of any video through UA-cam studio, you will find that mobile and desktop both users watches the videos. So from the next time please try to zoom more on the display so content gonna be perfect for all. Example: John Hammond's videos.
Thanks a bunch! The irony is these analytics are hidden on mobile so I couldn't see them. I can see them now and will keep this in mind for future videos. Cheers!
Jhon Hammond v2? Nice, that's a sub. This is done in a very minimal way, only the malware and nothing else, but since the app.asar file isn't signed you could take any standard electron app that is already trusted, unpack it, inject your malware into one of the legitimate scripts and pack it back together. AVs will have no way to tell other than maybe the installer and runtime monitoring. One of my friends used a similar technique over a year ago, undetected to this day afaik.
Thanks a bunch! Yeah anything which requires an interpreter to run will continue to be a thorn for years to come. It's a love hate relationship with high level programming languages 😆
So cool that you decided to analyze one of my samples! Been tracking the C2s of this malware for a while, writing any YARA rule has been so difficult due to this crazy amount of obfuscation.. These electron based stealers have been appearing on Telegram lately, and seem to be the same exact malware just with different names.
Awesome work! Thanks again for sharing this one. I was definitely thinking in the back of my mind some of the ways a Yara rule could be created for it, especially when it's all packed. Are they changing the GUID in the NSIS installer? Or maybe targeting the obfuscation in the electron app itself is the way to go. Definitely a pain.
This malware seems to be going around by a lot of names but using the same website design and fake game. I saw it under the name of "Planets Therapy" on a video from The PC Security Channel.
Thanks for the heads up! I'll have to give it a look over and see what I can find. I think the main issue with naming it after the game it is pretending to be is it means it will probably get lots of different names. If it's based on something in the code itself that's unique or its behaviour it's more likely (hopefully) to be identified no matter what theme it's using in the future.
Oh no 😯😕 No, not that I'm aware of because it's very much targeting Discord so replication to a removable device doesn't seem to be a goal or anywhere I've seen in the code. That being said I haven't thoroughly gone over the script that appends to an infected Discord instance to see whether that included any logic to spread to other drives.
14:26 - Interesting how they check for a VM... just by calculating if the total amount of memory is smaller then 2GB. And why does he check the hostname against a blacklist? Just to prevent the virus running on the pcs of his "crew" or "family"? these names look really weird to me... And killing debuggers to prevent people reverse engineering his code?
The hostname check is likely known names used by online sandboxing tools. That way if someone was to upload it to free publicly available tools to perform dynamic analysis it would just exit and not perform the malicious activity which then makes it look clean to the online sandbox.
Oh no 😰 That's not good at all! Guess it may be time to change all your Discord credentials, log out of all Discord sessions and reinstall Discord on your system 😞
@@cyberraiju yeah I ran malwear bytes but after watching this I feel like I should. Reinstall. But I talked to some other victims of. “ARENA WARS” and they told me only there discord was compromised. But I swear on my lunch I saw a bot for discord. That had that same name in those exe files you where looking in.
I'm sorry to hear you had to go through that man 😞 Feel free to flick me a message if you're on any platform I'm on and can. I'm guessing it was a case of someone DMing you on Discord asking to play a new game, or a friend on Discord asking you to which had already been infected? 😬
@@Nine_Divines there is a msi motherboard vulnerability if you dont enable maximum security its compability mode by default and it could get malware loaded into bios.
The keyword is 'could', but just because Secure Boot wasn't enabled doesn't mean this malware is being loaded inside the bios. For that to happen the malware would be dropping other specially crafted files or modifying specific files which then act as Bootkit or Rootkits, and this is a lot more challenging to get right than to just run the malware on your system 🙂
@@WitherForgeNot technically impossible, but the odds you specifically were targeted by such a sophisticated attack without anyone else raising the alarm is practically zero. You probably just ran something malicious without knowing it was.
For navigating A/B comparisons I highly recommend Beyond Compare, can diff folder trees and compressed formats and even binary so you can drill into the diffs by just clicking what you want to see diffed next.
cheers. Will have to sub on a few accounts :) - I too, initially thought you were Jon hammond at first glance ( the thumbnail) Semi similar features within the same genre. Anywho , good on y!
This is super interesting! The actor definitely put a lot of time into the front of the malware to make it seem legitimate. Great breakdown of everything. New sub here!
Absolutely! The juice is obviously worth the squeeze to someone that they're putting in more than your standard effort. Thanks for the kind words and the sub!
Thanks so much! As someone who does this on the side for free, it can sometimes be difficult to know if the hours spent are turning into a video others enjoy and learn from or not, so comments like this are definitely valued 😄
Not really 😅. There's a number of channels which have great content, but it's not really inspired by any one. It is a unique style which is still being fleshed out, driven by my years of experience in both the industry and presenting publicly 😆
I don't mind technical videos about Windows, but when it comes to security some kind of acknowledgement that this is not a video about an open-source operating system, would be reassuring that you are helping non-technical users who don't know the difference. (Notice I tried to be unbiased by avoiding mentioning which open-source operating systems I prefer to use myself. 😉)
I appreciate how you explain every step, and especially every assumption and thought process you went through while analyzing this, and the information you used to come to those conclusions; extremely thorough and helpful.
For a second i thought you were Jhon Hammond XD.
I love how this is so in depth you got a new sub
Hahaha, this wouldn't be the first or last time it happens 😅
Thankyou for the kind words and sub! ❤️
ME TOO
This isn't John Hammond??!
@@cyberraiju Hey thanks for replying :D
I actually have a really big desire to also become a teacher on UA-cam.
And believe me when i say this 2 years i could not controlled some situations as a result still 0 videos....
I hope maybe we can get in touch
This is insane. Awareness needs to be raised. Thank you for your video
You are most welcome! Glad you learned something new!
Just wanna say it's a very good video because you just managed to make me focus during a malware analysis which is quite rare. You explained everything very well and in detail so thanks and you just got a new sub :)
Thankyou! I just want to say that your YT name made me laugh 😂 👏 bravo.
Greatly appreciate the kind words, feedback and sub 😁
Academically interesting, but the foremost problem there would be Microsoft Windows. And Discord. It's not like the data sent using Discord is safe at all. But at least running something like a Flatpak of a web-version Discord client provides some kind of sandboxing.
Unfortunately due to the support and ease of use, Microsoft Windows and Discord remain the dominant operating system and software of choice for gamers.
That being said, I believe if the roles were reversed we would still begin to see creative ways of doing this against alternative operating systems and software setups.
If someone just uses discord in the browser, not as the electron app, is this still a problem?
This is my first time on you channel and realy love the job and content.
You get a new one in your Jai Minton house
Thankyou! It's always great to hear when someone new takes a chance on a video I've done and winds up enjoying it. Welcome!
16:50 Wait a second, I recognize that string!
Hint: it's a youtube video ID
Wow 😮 you're right 🤣
Maybe this is a default token regex in whatever was used to build the malware as an Easter egg and they forgot to change it, or it's an egg by the malware author.
Either way you win the internet today for picking up on this! 👏🔥
@@cyberraiju It's not related to the malware in any way. It's used by Discord for their authentication tokens and the functionality related to saving them in a some-what secure manner.
The line at 16:50 weirdly enough is the UA-cam video ID of Rick Astley's Never Gonna Give You Up.
Came across this video because i just got hacked. They impersonated someone i knew and said something about a game to try and comment. I was stupid enough to download it. Stupider not suspect anything. This video at least told me what they could have access to or what they did get access. Since everything was token they only had a one time access. I since have reformatted my pc and changed all my passwords to what i thought they might have access to. But it was very stressful and scary.
I came across this video cause the hackers tried sending me screenshots which showed my info. But also the program duvet they used.
Good video. Stay safe everyone
Oh no, I'm so sorry this happened to you!
Glad you could respond and get it under control ❤️
Great video and easy to understand
Thankyou!
Similar to BBY stealer.
It seems like they updated this or there is a new variant called hexon, operates almost the exact same way but now it way more obfuscated.
12:44 is not the part where the token is stolen. Instead your discord instance is modified to launch the malware again.
This video has been a wake up call. I could've been infected by this and would've had no way of knowing. I need to get clean up my opsec act, STAT!
Thanks for a great in-depth analysis!
No worries at all! Glad I could help and shine some light on this!
Awesome. Thanks a lot.
Just a feedback - If you open analytics of any video through UA-cam studio, you will find that mobile and desktop both users watches the videos. So from the next time please try to zoom more on the display so content gonna be perfect for all.
Example: John Hammond's videos.
Thanks a bunch! The irony is these analytics are hidden on mobile so I couldn't see them. I can see them now and will keep this in mind for future videos. Cheers!
@@cyberraiju thanks 😃
Jhon Hammond v2? Nice, that's a sub.
This is done in a very minimal way, only the malware and nothing else, but since the app.asar file isn't signed you could take any standard electron app that is already trusted, unpack it, inject your malware into one of the legitimate scripts and pack it back together. AVs will have no way to tell other than maybe the installer and runtime monitoring. One of my friends used a similar technique over a year ago, undetected to this day afaik.
Thanks a bunch!
Yeah anything which requires an interpreter to run will continue to be a thorn for years to come.
It's a love hate relationship with high level programming languages 😆
16:49 they really put a rickroll in malware lmao
I know right 😂
pretty cool, again! thanks!
No worries at all! Glad you enjoyed it!
wow Love it ♥.. Thanks for the clear expiations.
So cool that you decided to analyze one of my samples! Been tracking the C2s of this malware for a while, writing any YARA rule has been so difficult due to this crazy amount of obfuscation..
These electron based stealers have been appearing on Telegram lately, and seem to be the same exact malware just with different names.
Awesome work! Thanks again for sharing this one. I was definitely thinking in the back of my mind some of the ways a Yara rule could be created for it, especially when it's all packed. Are they changing the GUID in the NSIS installer? Or maybe targeting the obfuscation in the electron app itself is the way to go. Definitely a pain.
This malware seems to be going around by a lot of names but using the same website design and fake game. I saw it under the name of "Planets Therapy" on a video from The PC Security Channel.
Thanks for the heads up! I'll have to give it a look over and see what I can find. I think the main issue with naming it after the game it is pretending to be is it means it will probably get lots of different names. If it's based on something in the code itself that's unique or its behaviour it's more likely (hopefully) to be identified no matter what theme it's using in the future.
Impressively good audio for such a small channel.
15:00 disagrees with you
i was recently a victim of said "sonicglyde" and i have a question if the virus spreads through other drives connected to the infected device?
Oh no 😯😕
No, not that I'm aware of because it's very much targeting Discord so replication to a removable device doesn't seem to be a goal or anywhere I've seen in the code.
That being said I haven't thoroughly gone over the script that appends to an infected Discord instance to see whether that included any logic to spread to other drives.
14:26 - Interesting how they check for a VM... just by calculating if the total amount of memory is smaller then 2GB. And why does he check the hostname against a blacklist? Just to prevent the virus running on the pcs of his "crew" or "family"? these names look really weird to me...
And killing debuggers to prevent people reverse engineering his code?
The hostname check is likely known names used by online sandboxing tools. That way if someone was to upload it to free publicly available tools to perform dynamic analysis it would just exit and not perform the malicious activity which then makes it look clean to the online sandbox.
Bro I just got hacked by a discord token grabber through an exe think I could have been hacked
Oh no 😰
That's not good at all! Guess it may be time to change all your Discord credentials, log out of all Discord sessions and reinstall Discord on your system 😞
@@cyberraiju yeah I ran malwear bytes but after watching this I feel like I should. Reinstall. But I talked to some other victims of. “ARENA WARS” and they told me only there discord was compromised. But I swear on my lunch I saw a bot for discord. That had that same name in those exe files you where looking in.
the hackers update the stub when its get detected......
Dude i got hacked by this, if you want any info on how it was done, maybe we can get in touch
I'm sorry to hear you had to go through that man 😞
Feel free to flick me a message if you're on any platform I'm on and can.
I'm guessing it was a case of someone DMing you on Discord asking to play a new game, or a friend on Discord asking you to which had already been infected? 😬
@cyberraiju yes it was an old freind asking me to test his game, I'll try to contact you
i got hacked by this virus it was same and everything it even was inside the motherboard
🤷♀ I'm genuinely curious about what you mean by "inside the motherboard"..
@@Nine_Divines there is a msi motherboard vulnerability if you dont enable maximum security its compability mode by default and it could get malware loaded into bios.
The keyword is 'could', but just because Secure Boot wasn't enabled doesn't mean this malware is being loaded inside the bios.
For that to happen the malware would be dropping other specially crafted files or modifying specific files which then act as Bootkit or Rootkits, and this is a lot more challenging to get right than to just run the malware on your system 🙂
@@cyberraiju i dont know if some malware could drop malware into the windows installation usb i create or was it the motherboard
@@WitherForgeNot technically impossible, but the odds you specifically were targeted by such a sophisticated attack without anyone else raising the alarm is practically zero. You probably just ran something malicious without knowing it was.
just found out about you now
Hi 😄
Dollar store John Hammond 😂
Hahahahaha 😂, I'll let him know you said that when I see him at work next.
I used to get called the 'Wish' version of Ed Sheeran 🤣
For navigating A/B comparisons I highly recommend Beyond Compare, can diff folder trees and compressed formats and even binary so you can drill into the diffs by just clicking what you want to see diffed next.
Thanks for the recommendation! Will definitely check it out 😃
I love how in-depth your video is while providing valuable information, very underrated channel, good job Jai!
Thankyou so much for the kind words! I appreciate the feedback and you taking the time to share it with me.
cheers. Will have to sub on a few accounts :) - I too, initially thought you were Jon hammond at first glance ( the thumbnail) Semi similar features within the same genre. Anywho , good on y!
Thanks a bunch! Greatly appreciated 😃
Great work 👏🔥
É a tropa do Linn Se tem Duvet Tem Like 🎉🎉
Awesome
This is super interesting! The actor definitely put a lot of time into the front of the malware to make it seem legitimate. Great breakdown of everything. New sub here!
Absolutely! The juice is obviously worth the squeeze to someone that they're putting in more than your standard effort.
Thanks for the kind words and the sub!
great video man. subscribed :)
Thanks a bunch man! Appreciate it 👌
Awesome video! Your channel is underrated
Thanks so much! As someone who does this on the side for free, it can sometimes be difficult to know if the hours spent are turning into a video others enjoy and learn from or not, so comments like this are definitely valued 😄
Kaspersky best.
This is awesome! Thank you! Very informative and useful video ❤
You're welcome! Thanks for watching. Glad you enjoyed it!
@@cyberraiju is your channel inspired by John Hammond's? (sorry if you got tired of such questions 😊. I'm sure you will develop your own cool style)
Not really 😅. There's a number of channels which have great content, but it's not really inspired by any one. It is a unique style which is still being fleshed out, driven by my years of experience in both the industry and presenting publicly 😆
John Hammond
x.com/CyberRaiju/status/1783763199244009949?t=ers3C2pkHA4Fq1aTvPKdzw&s=19 😂
I am from VietNam
I don't mind technical videos about Windows, but when it comes to security some kind of acknowledgement that this is not a video about an open-source operating system, would be reassuring that you are helping non-technical users who don't know the difference. (Notice I tried to be unbiased by avoiding mentioning which open-source operating systems I prefer to use myself. 😉)
I appreciate how you explain every step, and especially every assumption and thought process you went through while analyzing this, and the information you used to come to those conclusions; extremely thorough and helpful.
Thanks a bunch! I'm glad to hear that the time spent talking through this analysis and editing the footage wasn't wasted!
@@cyberraiju Well, if even one other person learns and gets something from it, it's worth it, isn't it
I thought Kaspersky detected it, yet you state it was completed undetected by AV vendors on VirusTotal?
At the time of the video yeah, but if you look at the history and initial analysis it was undetected by all AV vendors.
Such clean code from the authors. 😮
Keep up the great work! +1 sub 👏
Thankyou! Greatly appreciated! 😃