GTA V Mods found to contain malware...

[dungeonseeker]

Namely keyloggers, steam inventory scanners, Facebook info stealers and web browser info stealers.

So far 2 mods have been found containing the malware which has 2 active modules, fade.exe and csc.exe, they are Angry Airoplanes and No Clip.

The frightening thing is this malware is so new its currently not being detected by any AV or MW scan.

If you've used these mods take appropriate action asap.

 

[Nagual]

If they can't be detected, who detected them?

 

[dungeonseeker]

If they can't be detected, who detected them?

People noticed processes running which they'd never seen before and tracked them backwards.

Angry Aeroplanes was a featured mod on a PC gamer article over a week ago so its likely the amount of infected is huge.

Here's an analysis from a gtaforums user

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

I was able to do a bit more sleuthing.

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.
It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.
According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.
The target of these attacks was:
http://www.twitch.tv...thedanishviking
77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module
Twitch spam/credential stealing module
Messenger.com spam/credential stealing module
A Steam spamming module
A Steam module that evaluates the items in your inventory and their value based on current market value
A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
A UDP flooding module
There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.
The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com
This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.


Tool used to investigate:
ProcessExplorer
WinDbg
Jetbrains DotPeek
Strings (https://technet.micr...s/bb897439.aspx)
Wireshark


IMPORTANT/TL;DR:
If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.