Beam.NG Players are in Danger
Vložit
- čas přidán 2. 06. 2024
- In this video I investigate a new series of stealers targetting Beam.NG players.
Official Discord Server - / discord
Follow me on X - / atericparker
Deobfuscated Malicious Lua code - pastebin.com/raw/KzBFP34K (do not run)
From some further code analysis, it seems this is a key part of the payload. "PySilon", while I was not able to decompile the Python code, using a hex editor I noticed strings. This software has a long list of capabilities.
github.com/mategol/PySilon-ma...
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
More Malware Investigation Videos:
→ The latest "NORD" Malware - Nordsecured: • The latest 'NORD' Malw...
→🧧VIRUS WARNING🧧 NEW Optifine for Minecraft 1.16 SCAM: • 🧧VIRUS WARNING🧧 NEW Op...
→ The wilkreate CZcams stealer virus that started this whole trend: • Fake sponsor DESTROYS ...
(C) Eric Parker 2024 - Věda a technologie
Seems like game mods being infected is becoming even more common, its such a shame
I wonder if I'm in danger, GTA SA is my most modded game atm
@Vhie05 SKULL EMOJI. Btw, they edited their comment, and now there is no more SKULL EMOJI.
@@Vhie05 I can't remember GTA modding being not dangerous
Yeah, one year after fractureiser. I think now the target is games for sure
Minecraft had it coming before, and now that one game
If you get mods from the official repository, you're fine.
Mods outside the repo were never good imo
yuh just rip the paid mod and upload it to a reputable website
Are you sure about that? lol
Things can slip through and cause problems in the meantime until they get removed.
@@Noname-iq1gz beam monsters monster trucks are bangin bro
Funny how you decoded the hackers code who hate AI, with AI.
I hope they get defeated by AI, too.
The malware is a python based discord rat called "Pysilon". The bot token which is found in the stub is no longer active which is good.
so the malware broke?
@@PixelCraftPlay every stub that used that bot token is broken and possibly the server was destroyed too where the bot was in
@@ultimatesigmagamer probably just means tyhe token was reset
shows how competent the devs are when their bot's token is just chilling in an open github repo
@@DaDescriptor oh damn didn't realise it was on git hub, thats even more funny cuz for about the last 5 years or so discord and github have teamed up to automatically invalidate tokens when they are uploaded there.
Fucking hilarious that they're putting fetish art on other people's websites lmfaooo
As a furry, i can say that these people are dumbasses. Especially because of the fetish art, easily the single best way to track a possible owner or lead of the group
I am furry around 7 years now and it always amaze me how fked up the community actually is... just learned this fetish exist wtf is with people.
@@ayweiayweiayweiaywei
Okay, either you're an actual child or you're incredibly weak willed. If you think this is "fucked up" then you should just stick to the surface level knowledge of the community.
mods are getting more dangerous than random exe's
i mean mods are just code, and code can do a lot, i've seen videos of people using lua scripts to write an exe and then run it
@@BobTrollge ye but still malicous mods are getting more and more popular
@@MysLouis Yeah, I’ve made a few before. (For testing and practice, not for malicious purposes) In recent years it’s become incredibly easy in nearly every language, especially with certain AI tools being easily jailbroken or having no protection against outputting malicious code at the user’s request.
@@BobTrollge That's exactly why Lua should be sandboxed and don't allow access to operating system calls
Bullshit. Just don’t torrents fucking mods
C#/Powershell dev here
Powershell allows to run base64 encoded scripts to bypass command line parameters limitation. Sometimes you may want to run powershell code with quotes, line breaks, and other characters. And it is very hard to pass such string via command line argument.
Encoded string is using UTF-16LE probably just because this is internal format how .NET/C# and Powershell (built on top of .NET) store strings in memory
interesting
Wow that's very useful. I've banged my head against a wall countless times trying to run complicated commands from batch files. Doing this could seem very suspicious but will definitely come in handy.
backslashes tho?
@@zmeyka3310 PowerShell uses backtick.
The hacker group really called themselves null bulge, of all things. We live in a society. One where our hacker groups are apparently, into some wild stuff.
null-bulge fetish being used as a hacker group name was not expected
Yeah, i know right! Also caught me very off guard
it actually made it question reality for a sec
I expect it more and more. "Programmer socks" are becoming a bigger and bigger thing with each passing day
Funny nonetheless
That must be something they're into because I saw that and went "...Do they know?"
Damn my dad was right, BeamNG drive WAS incredibly vulnerable to malware, thankfully I only install mods from the repository, I will be checking my mods before I load up the game again, thank you so much Eric.
update: I'm not affected, but I swear to the heavens.. 10 whole years and we have the first stealer in beamng's modding history..
Lua is very easy to sandbox. Idk the details but there should be no way for a mod to load ffi
i dont play this game but its pretty cool how there hasnt been anything like this for 10 years...
Im a active Beam NG player with many mods. I am so thankful for that video
Me too! I've got 102 active mods! They all came from the in-game repository. When i was a kid, I used to download like the worst mods of all the time, and I had garbage software on my computer. Now I like so much computer security things. I can't believe that I was so bad!
LOOL i have 647 mods right now 534 are from modland 16 from worldofmod and the othets are from repositorie@@MicrosoftGuy
102? Huh. Try 710 mods.@@MicrosoftGuy
I have some cars that just fly and are white Gravil D series.
Is that a virus?
I recently found a vulnerability in BeamNG which allowed for arbitrary code execution (or remote code execution in multiplayer), but after reporting it, they fixed it. So that's always nice.
There's definitely more issues though (such as this one).
Edit: If I were you though, I would have personally kept it private until something was done. Now we'll get a few hundren skids on BeamMP and KissMP doing RCE's 🙃
i have only just seen the first couple of frames and it's IMMEDIATELY obvious what the problem is
i have played beamng. i have looked at the lua scripts. the problem here is the ffi library being publicly exposed to the lua programming interface
ffi is basically an interface to the C++ side, which is an helpful utility sometimes (beamng devs use it to execute some engine code in lua scripts, or unpack a C++ struct to a lua table), but when it ends up in the wrong hands, it's basically just a glorified executable that gets compiled and ran.
you're unlikely to experience this sort of trollery on the actual mod repository, as there are people actually manually approving mods
So you're telling me mod developers have unrestricted access to what is essentially javascript's eval()
@@araghon007 basically. I don't know if there's any restrictions but there may be barely any
I have used the base64 feature of PowerShell to be able to run a PowerShell script from a program in another language without having to bother with the pain that is escaping quotes and newlines. UTF-16 is the internal encoding Windows uses, and the only one supported for that PowerShell base64 feature (which is an explicit PowerShell feature, not some “core .NET thing” another commenter mentioned).
Ok, but in which BeamNG mod did you find this?
The Base64 thing just calling to core library of .Net, not necessarily the powershell is designed with executing base64 encoded scrupt in mind.
It's kinda like piping result from base64 command to a shell command in GNU/Linux.
I remember telling you about this like 2 years ago! So glad that you are making a video about it now. Great video as always Eric.
Which mod was affected? Is the malware in the official repository? Dude you cant just say there's stealer malware in a beamng mod and give no info about which mods are affected
This is a great analysis of malware, you make it look so easy
The NullBulge logo is AI generated, and they accepted Monero donations, so I don't think they genuinely believe a single thing in that manifesto.
THANK YOU. It absolutely feels like a "We're the Good Guys:tm: so please don't try to stop us!" thing.
13:20 this is a RAT using discord, i believe it’s a bot used to receive information and send information from the infected computer to the discord server, they are using a bot to do so, they can control the RAT from discord using the bot if I remember correctly
if they included their bot cookie in their program, you know what to do :)
FYI that request tries to fetch user info about the bot (the bot's username, avatar, etc), I'm guessing it's to check if the bot is still alive, and if the API didn't return a 401 (indicating that the token is no longer valid, so it was either reset or the bot was deleted) then it would probably try to send whatever it collected thru that bot, it's about as bad as using webhooks since it's just as prone to getting spammed and deleted by someone xd
@@Pwnz0rServer2009 I know it’s possible to log as a bot if you have the cookie, but If they have certain settings enabled then it’s not normally possible
@@nakoyasha Oh ok! Thanks!
@@tomtom987 i specifically said *if*
Hackers working against paid mods is like anarchists working for the government
UTF-16 is fairly normal in WindowsLand™, most of Microsoft committed to UTF-16 back in Windows NT long before UTF-8 was widely used. Internally, .NET (which Powershell is built upon) uses UTF-16 rather than UTF-8 for its string types. As a result, it's not unreasonable that Powershell would expect encoded scripts in UTF-16.
edit: whoops, someone already pointed out the bit about .NET. Still, I figure it might be nice to know the context of why that is.
love your videos but please fix the glitches in your mic output, i had to rewind to check if something was broken on my end lol
Will try and figure out what's going on, noticed a bit in editing, not sure what's happened their.
Same
I think the Mic is peaking
@@EricParkerif youre using voicemod, then you have to switch to another mic input, then back to your normal mic, i get that issue a lot.
There’s something about the mic being slightly different video to video that I look forward to every video 😂
my lil cousins always asking me to get them “hacks, mods, etc” in Roblox and Fortnite and even before coming across your channel I could smell the malicious intent. So it’s neat to have someone to show what would’ve happened if I just went along and installed everything from a “Free Robux” CZcams description.
Keep up the great work 🙏🏽
Thank you for doing these videos ❤ I love watching them because I am getting more and more interested into that stuff
which mods are affected?
Audio glitch at 0:06.
In the meantime, stay safe.
I thought something was wrong with my headphones.
funny how he started to talk about trojan malicious virus and the audio started stuttering
I love watching this stuff. Just seeing what these programs are upto is cool
A weird thing is, i am watching this while playing BeamNG. Thanks for informing me. I will stay safe when downloading mods.
For whatever reason powershell, I’m not sure if it’s windows apps too but powershell uses utf16LE and can be really annoying if you’re switching between Linux and windows but I don’t believe this is localisation just powershell being powershell
Base64 can be useful in powershell if you need to pass commands and there might be encoding that breaks characters or url encodes etc. Used a VM where I couldn’t move a powershell script into host and copy and pasting would break encoding so I base64 encoded pasted it into host and just used the encoding parameter. While it’s used maliciously it does have some legit good uses
i'd love to see you try older malware on newer systems or vice versa
Newer malware on older system will cause more damage than new malware on new system due to the absence of necessary security updates
Older Malware on Newer systems will do nearly nothing just be an inconvenience since the security updates stop those in their tracks
Base64 has a myriad legitimate uses. One being that you don't have to escape it because it is ASCII.
Also is this a PSA or a code review? I have no problem with the video, except that it doesn't mention anything which/what mods were affected AND how to check if YOU ARE infected.
i play beam occasionally
this is actually quite helpful to me, even though it was VERY unexpected
i'm always wary with downloads, but i never thought some knucklehead would upload malware to a goofy, small community like this one
No place is safe ☠
@@rustirab3465
yeah, it really sucks now
i get real nervous even when i download steam workshop mods or develop my own minecraft modpacks or other game mods
a whole lot of addons and file-manipulation tools still don't sit right with me, even after i look into them and get negative results from virustotal and hybridanalysis
Off topic, that 'stutter' in the video at around 7 seconds reminds me of the day before I found out Trusted Platform thingymajig was the cause of ruining my gaming experience for over a year..
I’m not really good with computers although I’m on it a lot. I got a bunch of mods and wondering what exactly in the vehicle folder I should look out for? Watched the video but it’s super confusing imo and short explanations of what I look for
If you get it from the official repository (so like in game) you should be fine
Thanks for this video. I only get mods of the ingame mods on the official BeamNG mod browser and the other mods I use is a ultra graphics one made by a BeamNG dev which is safe and the other one is the multipler mod. aka Beammp
Wait, when does Lua get into play? I didn't even see the game being launched in order to interpret the Lua script... Did I miss some moment in the video where you show it hijacking the game's Lua interpreter or something?
LuaJIT has a feature called FFI which to my understanding can run external dlls. This feature is intended for performance critical code such as math libraries. This mod downloads this exe and executes it using FFI. He reviews what the exe does in the video.
i love the "hello buddy" intro
Genuinely banger after banger upload.
Thanks for the heads up. Is this from the official mod repository, the website forums, or an external website? No shade thrown at the repo moderators, it's not a big team and things can slip through sometimes. I'd just like to know this to understand the real magnitude of the threat.
Happened in Modland
I installed a couple mods from the beamng mod menu, but i never installed anything from a 3rd party website, i should be fine, right? I played recently and my mods were disabled anyway due to me not playing in a while but i wanted to make sure
You should be fine if from the mod menu
The registry keys it opens are likely for profiling the system. Getting your hardware info, windows version, etc.
It's probably regular ass python thing,
@2:08, I can't tell you WHY Microsoft would add obfuscation of strings other then they seem to ❤obfuscation and redirection if you spend anytime in the Configuration Manager, better known as the Registry. I have found keys that point to keys that finally point to a data key with the actual data in it.
I really just hate paid mods.
Mods should be free.
Now, I don't care if you do something like your supporters get new mod versions lets say 2 weeks early, but doing completely paid just rubs me the wrong way.
At that point it might as well be 3rd party DLC.
I think paid for mods are ok if you make mods alot and they are super high quality what shouldn't be allowed is paid mods that are absolute trash
@@thesilentone9847 Absolutely not.
You might as well just consider them unoffical paid DLC.
But unlike DLC these modders use things like Patreon, where guess what. Its a monthly expense!
Meaning you're paying monthly if u want the latest updated unoffical paid DLC, I mean "mod".
You wouldn't be happy if u had to pay monthly for a DLC of a game, so why not the modders. I get they have to make money somehow, but their are better ways like asking for donations, or giving early access to your paid subscribers.
@@TriroI definitely think monthly is dumb but you only need to pay again if there’s a game breaking bug tbh.
But general idea of paying is fine. Everyone just expects good mods to appear on silver platters like a granted law of physics.
FiveM police livery for $69.99:
Farding simulator pickup truck for $80:
Truck simulator truck for $140:
Stealing your moms credit card for a $14 fuckatnite skin:
Paying $34 for 7 gallons of gas:
Beamng mod for $3.45: 😱😱😨😨😥😥😰😥😬🤮🤢🤕🤒😷😪😮
@@iretr0x675 >FiveM police livery for $69.99
Knowing how fucking retarded FiveM RP servers are i'm not even surprised.
t. former FiveM player.
Am I amble to dump my mod folder into a program that can tell me if any of my mods are malware?
Uploaded the day after I enabled all my mods on BeamNG lol
But the virus seems to be very targeted at Windows, which should leave me safe. Might wanna clear out some of my shady mods regardless though.
I have a good bit of BeamNG mods, does Eric mention where these stealers come from? Like is it on the Beam forums or...? Or is it just pirated mods on third party websites and stuff
Torrents, some have been uploading on various sites. No single source.
@@EricParker Alright. I have over a 100 mods from the official site and have double checked all of them. Video gave me a scare haha
@@Loaf_ve Same, I never use mods from sites other than Ko-Fi, Gumroad, Patreon, BeamNG Forums, and the Repository.
@@Loaf_ve How did you check them? What do I need to watch out for?
@@rustirab3465 If you get your mods from the in-game repo, you're most likely safe. From the forums, I doubt BeamNG would let something like the stuff in the video on the forums. It's mainly just pirated mods, so if you've downloaded from third party websites (examples, world of mods, modland, etc) then you might want to scan those mods with virustotal. If you think you downloaded something weird from the forum you can also double check it's forum page and look at reviews, and if it seems legit
base64 encoded scripts just seems like a quality of life feature, let's say I want to send a friend a command or script it would be possible for whatever messaging app I use to interpret stuff like "\*" as a way to format italics so would break the command/script.
I don't see why it shouldn't exist since you could just decode it yourself if you're a malicious actor.
i think it causes more harm than it does good. There's plenty of other (and safer) options to send someone a script
@@monkaSisLife I don't see how it changes anything, it's trivial for malware to just decode it. You can still decode the script/command if you want to confirm it's safety but pasting a full script into powershell is not likely to work.
It also can be used to deter DMCA bots.
All efforts to take those down must be done manually, since if bot decodes the entire website, it'll be jumbled mess.
I haven't played BeamNG in a long time, this reminded me to check my mods folder
And also if you downloaded "comfyui llmvision" because they went after that as well.
I had a feeling this would happen to beamng, be careful out there guys
I knew it. I knew something was up with BeamNG mods lately, but this is even worse than I thought. Anyway, thanks for the video mate. Could you please tell us the name of the mod? I want to make sure I did not download it. :D
i have 0 idea what you are talking about at all but this is cool
It's like the Fracturizer virus all over again, but with BeamNG. It crazy how unsafe modding games have become. I'm worried that something similar might be happening with other games that have huge modding communities.
Could you please clarify if mods on the official repository are affected???
You should be fine with the offical repo, I think its mainly 3rd party stuff thats the issue
if so then thats beamngs fault maybe a few on the forums but none on the official
l love it when microsoft makes it easy for hackers to encode their malware lol
I'm a modder for Don't Stave Together, I might give a proof of concept malware a try to make sure that game is safe.
This is insane. I wonder if thats why i kept getting a blue screen before my hard drive went to crap.
We got furry fetish hackers before GTA 6 💀💀💀
Well, back to making my own mods with Automation I guess.
I honestly don't understand why beamng drive is allowing to execute external c code purely in lua, its weird and a huge security issue.
i hadn't played beamNG or modded for it so i'm unfamiliar with how it works on there specifically, but if i were to guess, it could be for particularly advanced mods that have their own hooks to allow for functionality that otherwise isn't implemented in the game's lua API.
but yes, this opens the door for massive security implications, this should at least be an explicit opt-in feature.
@ChristopherGray00 I am a mod developer on beamng myself, I know ffi exists in lua but I did not expect that it would exist in beamng drive as well. The ffi executor doesn't interact with beamng or its internal api's, it's just a external executor and I have only seen Beamngs internal source code use it. At least they could lock ffi to Source scripts rather than making it an unlocked and insecure api.
@@ChristopherGray00 There is a third party mod that adds multiplayer support for the game (BeamMP), I suspect that could be (ab)using this functionality to do communication with the outside. Maybe they'll add official multiplayer at some point but in the meantime, if they broke that mod I think a lot of players would be angry so they would at least want some way of making that still work even though it was probably not an intended "feature".
Thank you so much, i just found out I'm infected on my sim racing computer
hey i havent watched the full vid like, but def a like and sub.
Target is definitely becoming games nowadays
So how can I check if my mods are infected?
Some say you'll be fine if you only download mods from the repo, but that would mean not connecting to any BeamMP server that has any mod. We're in trouble then aren't we ? Or does the BeamMP team do server mod moderation ?
This is why i prefer to join lobbies with no mods
@@Zylenxx Same
"using hex is a dead giveaway of obfuscated code"
that sounds like a skill issue to me boss
Minecraft: first time?
Your mic glitched at the start
Hello, if I only download mods from in-game repository am I safe?
Yes
As I'm playing the game haha. Any problems with farming simulator mods? I get more shady mods from there.
moral of this story: only get mods from the repo as getting mods off other sites could be dangerous
BeamNG is one of my favourites.
Not surprised that info stealers are now going after BeamNG players, probably more so because anyone who has BeamNG is likely to have a good system with powerful components.
Having a hard time understanding this. What does this thing even do and why should I be worried?
I also made a video on the virus they're using here: czcams.com/video/yjLYz2lo0FE/video.html&
this is what they can do with your computer.
@@EricParker That helped, thanks
What mods are infected?
hirochi ccf :trollface:
@@mashingsumpotatersthere we go
whats the link to the group, please tell me
i give up
I think i got one... how do i remove it ?
The second I heard "you get it through a torrent" I was immediately put at ease as I never use torrents. Not saying you couldn't get it from other sources but it was kind of a yeah duh moment.
Has been distributed on sites like modland as well. Pretty much anyway people are getting leaked mods is effected.
uh oh guess that means im going to be careful what i get on beamng!
this video made me drop everything
And if I only download from steam store. I mean in game mods
That should be fine, the main issue is pirated mods.
I got Chinese malware from a left 4 dead workshop mod, so I'm not so sure.
Which mod specifically?@@braidenzack309
@@EricParker How likely would you say it is for something like this to get past Windows Security AND constant Malwarebytes scans (typically one a day)? I don't THINK I have any pirated beam mods but I use Modland and sometimes they don't scan/vette the mods themselves and I don't know for sure their vetting is even trustworthy so I have always scanned anything I get there almost obsessively, but am curious what my chances are of getting hit anyways.
@@braidenzack309 what was it called, now I'm interested
that sure is.... one reason it's called "nullbulge"....
The moment you see ShellExecute in source code you are fucked
Thanks for this, gave me the push i needed to uninstall an abandoned game i haven't played in years
How is BeamNG abandoned?
@sirthatsillegal i think they meant to say that they abandoned the game
@@ARandomOSDeverthat’s kinda sad
CZcams simply refuses to load this video... So... What's the situation?
Pirated beamng mods are infected with malware. Ingame repository is safe. Be careful.
Lua is supposed t be sandboxed, right? Have you reported the security vulnerability to BeamNG?
Lua is only sandboxed if you enable the sandbox
@@LiEnby Oh, wow... Any reason why they would leave it setup to allow such an ACE vulnerability instead of just hardcoding a whitelist of their own helper fast libraries or whatever?
I think i was infected with this a bit ago I think windows defender stopped it in its tracks tho im not sure
starsector also had this problem already removed that mod
Which mod?
unfortunately i only see the aftermath on Reddit don't know which specific mod
only knows that's there and the developer removed it
does this effect the official beamng page
Me who makes all of my cars myself in automation:
wait a sec, are we talking of repo, beam forums or the already known shady websites?
literally why we need a beamng steam workshop
Without watching the video, I can already confirm this. Downloaded mods from a Russian website (without any installers whatsoever) a few years ago and my pc began crashing out of the blue. Turns out I had downloaded a virus which deleted important system32 files, preventing me from booting. Silly me should've known better...
Great info but what does it do? If it is not communicating outside? What is the point? I have a lot of AC mods and tbh 99% of them are not even worth installing. There are few that are really nice, rest is okish... I do hope new ACE will not have mods at all or they will need to be checked and verified and available thru official ways somehow ( a lot of work I know).... Shame really wat they are doing. There are few legitimate moders and teams that actually do their mod from 0 etc. rest is just "mods" stealing from other games and then crying if someone uses their modification as if it was their own LOL....
The discord bot that this one was based on was banned by discord, but future executables can do more.
pc was smoking at start
I'm glad I'm using NixOS :D
NixOS uses (proper) sandboxing? I might actually decide to check it out then 🤔
@@electric26 No, I just meant that I'm glad that I use Linux in general, because as far as I can see, only Windows is affected by this, but still NixOS is a little bit more secure because it doesn't follow standards XD (oh and also configurations are read only and accessible only to root, so viruses can't easily put themselves on autorun)
@@redlionstudio2750 There were several minecraft malware aimed at linux. Though even with Flatpak sandbox they didn't work because they relied on accessing proper HOME directory.
@@redlionstudio2750 lol about the not following standards. But yeah, I created my own (hopefully) secure setup on Arch where I have a separate user for various things (for personal, work, gaming, etc.) where the ownership of .bash* files are set to root, and I have a folder in /pub for each user that is world readable. I also have an admin user that is the only user with root access. I really like it so far :D
Just unfortunate that most distros still haven't figured out changing monitor resolutions.
GOD I JUST DOWNLOADED LIKE 27 OF THEM LAST NIGHT
we are cooked
13:00 I tried the token and i can certainly say that it is invalid. It either got banned or they reset it