pc

oh bloody hell. i could have watched it but decided to put it off. its all on me

I was watching the setup one then I watched something else came back and it was gone lol

Nice. Hoping to see the other one too cause of the claim at the beginning that it's the wildest malware ever reviewed on this channel. Just wondering what it did.

Great bonus. Thanks !

yeah, that just shows how dumb scammers are XD but maybe this malware was redirected by a viewer?

yeah but what an own it'd be on the off chance they actually manage to infect the owner of a channel that analyses malware!

​@@redlionstudio2750 Scammers aren't dumb - but they always go for the dumbest targets. Remember those Nigerian Prince emails with terrible english? Those who respond to them prove that they have no knowledge about the scam or are dumb enough to believe anything, so those same people don't know that they're about to be scammed. That means those kinds of people won't report the scam, which will allow it to keep going for longer. Nigerian Prince scams have been estimated to have stolen more than a hundred million dollars over the past few decades, which means they've filtered their targets enough to keep milking them to this day. The only dumb people here are those who think that scammers are dumb. Always be on your toes.

When the ruble is in rubble, they can get pretty desperate I guess lol

Yeah. And of course send it to someone who knows how to bypass Cloudflare's proxy, and therefore knows how to get to the real C2 server's IP address, and the best thing that person does is to send that IP address to their friends to have a little fun :D

Nice!

I guess technically it's probably smarter not to put the fake pdf if people are not accustomed to seeing file extensions.

My thoughts exactly. File extensions should be enabled by default, they’re not hurting anyone.

Microsoft did it in an attempt to prevent people from accidentally changing the file type by renaming the extension (which by design is fairly wrong in so many occasions, because file type should NOT be determined solely by its extension). Renaming a file to a different extension might cause it to break compatibility, so Microsoft by default hides extensions to prevent dumb users to rename program files for example (causing them to no longer work). It is dumb, not gonna lie. First of all, Microsoft assuming users are dumb they don't understand extensions, that's insulting. Second of all, it's a bad design. Unix-like OS doesn't determine the file type by its extension, rather does it through file header. If that file header might correspond to many file formats (example being text files, which do not actually have a header), then the file format might be determined by the file name extension (for example: C source code files). If Windows adopted this behaviour from Unix, then it would be so nice, and there would not be many issues with renaming a file extension. Fun fact: In Unix-like OS, the file doesn't even need an extension, it can be simply just "file" with no extension, and it will still function according to its file type that's associated with the header inside. As an example, many log files might be extension-less, C++ source code header files are sometimes files without an extension (remember writing "#include " in your C++ program? That file has no extension), and some programs (including Windows Copilot and Recall) have extensions from their log files removed (which on Windows it's more of a measure to prevent users from poking around and looking for stuff they're not supposed to be poking around). Also, Windows is fully capable of opening extensionless files. Of course, you won't be able to assign a permanent application to open them, but you can still open the file by manually selecting the editor that is designed to open that file (if you know the format of the file). Not only that, Windows Command Line is capable of dumping extensionless text files into the console, the same goes for Windows Powershell (or Powershell for those who installed the latest version), and of course Command Line and Powershell don't hide the file extensions even if that is enabled in Windows.

@@kevkevpurple the little timmy would get scared after seeing the .exe file format

​@@CZghostExcellent point about protecting users from themselves - you just know someone's going to rename a JPEG to PNG and expect it to work. On the other hand, even with file extensions shown, you get a warning popup if you attempt to edit the extension - which is all that should really be needed, Microsoft!

It's going to be the same scam run by different people. Best you can do is keep track of crypto wallets and the transactions they make

Many different groups.

@@YaySyu probably. There are also known market places where you can buy youtube channels, they go up in value a lot depending on what you are looking for, for example channel age, number of subscribers, monetization, etc. Game accounts because of in-game valuable items, account age, no restrictions in place, hours played, rank. Many variables.

I wouldn't be surprised if the entire thing is sold as a Malware As A Service package. The stealer, the C2 servers, the crypto filler content when they do get access.

Lots and lots of groups from CIS. You can check out some Russian formus like Lolzteam, many of them do this collectively. But Lumma is kinda expensive, so there could be a more profession team.

this is not a vuln, its a feature. firefox stores cookies in the appdata folder

I used to work at Microsoft and received a case from a client complaining about this and how O365 sessions remain active. It is not a product vulnerability but rather a human one. In order to gain that level of access, it means that there are a serious of actual security problems in your infrastructure like lack of execution policies and security training for the personel. In other words if an attacker can get its hands on your sessions and cookies, your security infrastructure is full of holes.

Will try it.

I tried searching for it on YT and google and can’t find it, do you have a link for it?

Taken down by KZbin, I appealed.

@@EricParker it seems YT has keyword filters for the subject of video. thanks for reply!

Yeah, since covid they started allowing AI to take down videos without review, sometimes it gets it wrong. On balance it is a good thing.

@@EricParker are you going that upload that video again? KZbin or on another platform?

This is clearly a stealer, it copied your firefox SQLite database (which contains information like cookies and stored passwords), information about installed software, Discord tokens etc. The Cyrillic word "Приват" is literally "Privat", maybe part of some session ID used in this API

you're right, one could notify cloudflare for abuse and boom, cloudflare protection gone from the site

mitmproxy. The setup I use is a wireguard VPN outside the VM. It can either be a second VM or the host (don't do if the host is windows).

It's likely automatic

@@chri-k Ye but still pretty funny Btw on which ending did you finished oneshot? Besides Solstice

@@vladik_yt3186 I don't even remember anymore due to seeing so many let's plays of it. I think it broke the sun?

@@chri-k Good boi

Corn flake

API and the software is the same, AFAIK you set it up on your own domain / server. Most stealer sites look roughly the same, many will also feature a special useragent to make DoS'ing it a bit trickier.

TPSC sounds more "bright"

@@electrolyteorb and eric sounds like tpsc with a voice changer

Yepp

😔

That's exactly what I was thinking. Sounds so much like him.

yes

It's actually easier (in general) to hack enterprises than random people. If you want to hack my channel you have to hack me, if you want to hack linus, there are 100 employees of varying levels of tech saviness that could be compromised.

​@@EricParkerthis, they probably have editors that don't know about PCs but are great at editing videos

thats about as far as his malware analysis abilities go lol

Yes, I cringe every time when I see that lol​@@丷

where's the issue with that?

@@chri-k you can tell just by looking at it that it's nowhere near base64. rookie mistake.

@@88tx It looks exactly like base64. In fact, there is a 99% chance that it is base64.

Appreciated 84zByvq2sPRWBNmbu7NfcFP5LYzR3fyU9CAPUnfs8au6BwNf4f2cqweFKqoaSXw7Ga4BYHgzbJNRqfbTfrYvtigHJYZsA59