Jump to content

Final update on the infostealer malware investigation


zebleer

Recommended Posts

  • Administrator
zebleer

Awhile ago, a user messaged me that their PO login had been compromised even though they used a unique password for PO. It turned out that they had used software with infostealer malware, which stole their PO login. I eventually found the stolen logins in a DB and there were billions of them. It was clear gamers were being targeted in particular

Here is what I found
- There is an infostealer malware campaign orchestrated by a group in India. The malware itself is developed and sold as a service by a Russian group
- The group in India distributes the infostealer through free GitHub releases, GitHub cracks, cracked games, cracked software (including gaming related and photoshop/video editing software), free mod/cheat/tool/VPN/boost releases on GitHub/YouTube/EPVP/other forums, and torrents
- The group uses stolen logins to further spread the malware (e.g. using stolen accounts to post and vouch for the malware)
- All of the stolen logins are sold to another group who manages a compilation called nazapi which is a nearly 25TB compilation of stolen logins. This compilation is sold to the public
- Nazapi has not been shared much because it's so big. It's over 20TB, so the cost/time to download it or upload it is significant. Out of the 20TB, only ~100GB (compressed) was released on BreachForums because the leaker wasn't willing to pay the costs required to sharing it in full
- People with purchased access to nazapi use it for various purposes. One example I've seen in our community is that some account vendors are selling or releasing stolen BNET/Activision accounts. This is how they are getting so many (sometimes 10K+) accounts to release/sell

I know you all wanted me to name and shame the malware spreaders but there are no brand or known project names. No active cheat provider or known project is spreading this malware. It's all nameless free releases, cracks, and torrents that get taken down quite often but get posted and vouched for automatically by bots using stolen logins

What I have done
- In the past I was setting bait to find out what softwares had the malware by restoring my test device to a clean state using DeepFreeze, using a software, saving a unique login, triggering the malware, then repeating and seeing what logins ended up in nazapi. I'm not going to do that anymore because these releases/cracks/torrents get taken down and come back in new posts often. There is no point
- I purchased full access to nazapi including updates. I purchased infrastructure to download it fully including updates. See why I bought it below

What I will do
- I am going to share and continue to share stolen logins with affected domains/companies to render the efforts of the stealers useless. I am going to try to be faster about this with larger companies because I haven't been getting them their updated logins very fast and their users are suffering account theft issues as a result. It's also hard to help because most large companies won't talk to me
- I am going to make sure that the stealer is fully detected by every major anti-virus through reversal and submissions. This process has been annoying because the Russian group has a few strains of infostealer malware for sale as a service and they keep updating them
- I am going to try to share nazapi with places like haveibeenpwned but again it's over 20TB so it's very hard to share this around. It took me two weeks to download it personally and I had to use special software to parse it

What you should do
- Do not download sketchy free releases including cracks/torrents
- Know that GitHub releases are not always safe. GitHub is actually one of the primary places malware is spread because people trust it so much. GitHubs with compiled binaries are especially sketchy
- GitHubs that show up as a top result when you search "insert_software_name_here cracked" are especially not to be trusted
- Upload binaries to Virus Total before running them
- Install a quality anti-virus like Malwarebytes. Make sure to add an exclusion for the PO loader folder
- Only use software from sources/providers you trust
- Use a password manager such as the one Protonmail offers of one from here

Link to comment
Gazza908

Fair play, for a ‘cheating’ community lead zeb, you keep it fair, clean and safe. Couldn’t ask anything more from somebody, genuine nice guy and we all appreciate the work you do… lesson learned to never download free shit 👍

Link to comment
  • Administrator
zebleer
9 minutes ago, edgar said:

a virtual machineis an option zeb. to test 

I have an isolated testing device and network that I use for malware investigations usually because a lot of malware checks for VM and won't run in one

This time I just used DeepFreeze to restore my computer to a clean state between tests to keep each test and unique login isolated

It is true though that if the malware will run in a VM (this one will but I didn't originally know that) it's better especially since you can have several VMs on one machine

Link to comment
  • Administrator
zebleer

For sending data to haveibeenpwned I forgot to mention I'm going to remove passwords and just submit emails/usernames at first then send an out of order list of passwords later

I think transferring that data with accurate pairing should only be done to affected domains

Link to comment
Nike76

I had a email from Steam saying my login had been compromised/login from America, i dnt use a vpn, im based in New Zealand.Would tht be any way related to this event? Im still able to login to both CoD/PO loader. Do i have anything to worry about?

Regards

Nike

Link to comment
  • 3 weeks later...
MooseKuckles
On 5/23/2024 at 2:40 PM, zebleer said:

Awhile ago, a user messaged me that their PO login had been compromised even though they used a unique password for PO. It turned out that they had used software with infostealer malware, which stole their PO login. I eventually found the stolen logins in a DB and there were billions of them. It was clear gamers were being targeted in particular

Here is what I found
- There is an infostealer malware campaign orchestrated by a group in India. The malware itself is developed and sold as a service by a Russian group
- The group in India distributes the infostealer through free GitHub releases, GitHub cracks, cracked games, cracked software (including gaming related and photoshop/video editing software), free mod/cheat/tool/VPN/boost releases on GitHub/YouTube/EPVP/other forums, and torrents
- The group uses stolen logins to further spread the malware (e.g. using stolen accounts to post and vouch for the malware)
- All of the stolen logins are sold to another group who manages a compilation called nazapi which is a nearly 25TB compilation of stolen logins. This compilation is sold to the public
- Nazapi has not been shared much because it's so big. It's over 20TB, so the cost/time to download it or upload it is significant. Out of the 20TB, only ~100GB (compressed) was released on BreachForums because the leaker wasn't willing to pay the costs required to sharing it in full
- People with purchased access to nazapi use it for various purposes. One example I've seen in our community is that some account vendors are selling or releasing stolen BNET/Activision accounts. This is how they are getting so many (sometimes 10K+) accounts to release/sell

I know you all wanted me to name and shame the malware spreaders but there are no brand or known project names. No active cheat provider or known project is spreading this malware. It's all nameless free releases, cracks, and torrents that get taken down quite often but get posted and vouched for automatically by bots using stolen logins

What I have done
- In the past I was setting bait to find out what softwares had the malware by restoring my test device to a clean state using DeepFreeze, using a software, saving a unique login, triggering the malware, then repeating and seeing what logins ended up in nazapi. I'm not going to do that anymore because these releases/cracks/torrents get taken down and come back in new posts often. There is no point
- I purchased full access to nazapi including updates. I purchased infrastructure to download it fully including updates. See why I bought it below

What I will do
- I am going to share and continue to share stolen logins with affected domains/companies to render the efforts of the stealers useless. I am going to try to be faster about this with larger companies because I haven't been getting them their updated logins very fast and their users are suffering account theft issues as a result. It's also hard to help because most large companies won't talk to me
- I am going to make sure that the stealer is fully detected by every major anti-virus through reversal and submissions. This process has been annoying because the Russian group has a few strains of infostealer malware for sale as a service and they keep updating them
- I am going to try to share nazapi with places like haveibeenpwned but again it's over 20TB so it's very hard to share this around. It took me two weeks to download it personally and I had to use special software to parse it

What you should do
- Do not download sketchy free releases including cracks/torrents
- Know that GitHub releases are not always safe. GitHub is actually one of the primary places malware is spread because people trust it so much. GitHubs with compiled binaries are especially sketchy
- GitHubs that show up as a top result when you search "insert_software_name_here cracked" are especially not to be trusted
- Upload binaries to Virus Total before running them
- Install a quality anti-virus like Malwarebytes. Make sure to add an exclusion for the PO loader folder
- Only use software from sources/providers you trust
- Use a password manager such as the one Protonmail offers of one from here

You are the GOAT. Much Respect 

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...