Jump to content

Recommended Posts

Hello, one thing i advance - I cannot, for the life of me, find anything suspicious on my system outside of (manually guessed) traces. No scanners come up with any detections, so I'm guessing some context may be needed. Here goes...

I've recently fallen for an imposter website when downloading a setup. Decided to return to playing some Minecraft after like 3 years, updated the game, wanted to update a respected mod for it, remembered it had an installer (unusual for Minecraft mods), and looked it up accordingly:

Search term: "Minecraft Forge 1.17.1"

First result - website looked legit, downloaded and ran the installer. Simple as that - mistakes were made.

FAKE website: minecraftforged.com - provides setup "MinecraftForge-1.17_33152.msi"
REAL website: minecraftforge.net - provides FORGE setups in .jar format, not .msi!

724043281_MinecraftForgeWebsite-FakevsReal.thumb.png.dba2ca341a7095b51a14d721c5729329.png
Fake vs real website - it fooled me

As it turns out, forge 1.17 doesn't even exist yet, it always lags behind a bit, so when searching for this version explicitly, the first result was the fake website.

I ran the installer because at that time, I didn't suspect anything was wrong. It appeared to crash - midway through the bar somewhere, so I even ran it 4 times in a row as it turns out. Only when trying to troubleshoot the "MSI" type installer for Forge "crashing on install", I figured out that, oh wait a minute, there ARE no MSI installers for Forge, and that's when it finally hit me.


No scans picked up on it. My Emsisoft install gave it the green light.

Virustotal had only 1 detection for it:
MinecraftForge-1.17_33152.msi
https://www.virustotal.com/gui/file/54b38316af894a3b21c3eca7285e031b276b31019450c9f18f2fcc056ae2ba15/detection

Nothing alarming usually - then again, file looks to be very new, and there's a multitude of things tipping me off:

1) The lengths of professionally faking the FORGE download website with minimal adverts
2) The same installer being known as "Spotify_42042.msi" already, so just a renamed file, and on top of that...
3) The setup, when running, claiming to install "BrightestLightSetup" (neither Forge, nor Spotify anything!)
4) The setup crashing, yet no errors being displayed anywhere, nor anything showing up in installed programs
5) The setup gets randomly generated version numbers at the end with each download, I think?


On further inspection, the file appears to be a dropper, unpacking this 2nd file (its actual payload perhaps?), also greenlit by Emsisoft:
%LOCALAPPDATA% \ BrightestLightSetup \ BrightestLightSetup.exe
https://www.virustotal.com/gui/file/15add46219ad5d7f32f93c886804cbf7fbb50653671008bb17f62ec1c845cfb7/detection

 

My first gut reaction was to move the contents of TEMP out of temp to a different location as to 1) prevent anything from using it, even if far too late and 2) to preserve it. There are 4 folders matching the timestamps of my 4 attempts running the installer, each of them sporting the exact same files in them:
_setup64.tmp
https://www.virustotal.com/gui/file/388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95/detection

BrightestLight.dll
https://www.virustotal.com/gui/file/ff2455f13f2a2c0bef90ba45f92d736b3833269d609d88f35d2469b0dd0bb012/detection

 

This is where I got a second opinion, using the ESET online scanner ( https://www.eset.com/int/home/online-scanner/ ), which also didn't find anything related - so nothing came of it, sadly. 2 highly reputable scanners, not picking up on a highly suspect file that I ran multiple times, on my legacy system. I know the installers had ample time to do whatever, and I suspect it's just undetected as of now.

 

I also ran it by Hybrid Analysis, an analysis environment, and these are the results of what it did, but I'm not educated enough to make much sense of it myself:
https://www.hybrid-analysis.com/sample/54b38316af894a3b21c3eca7285e031b276b31019450c9f18f2fcc056ae2ba15/60e71308af4dd7311c4fa4e0

 

I've got installed:
- Emsisoft Anti Malware
- GlassWire firewall (manages Windows firewall & tracks network usage)
- Sandboxie (didn't use it when trying to install forge though, because why would I have...)

 

Any further details should be included in the log files, I think.
Couldn't use EEK, as I have Emsisoft already installed, attaching a log of that instead.


I didn't restart my machine yet, as I am suspecting windows files to be replaced on reboot - as long as my machine keeps running they may still be the original, system-locked files and the malware may be unable to finish installing itself? Just a hunch though...

FRST.txt Addition.txt scan_210708-210740.txt

Edited by BlackSun
Added 1 more VirusTotal link
Link to post
Share on other sites

[Placeholder post]

 

I am trying to upload a ZIP / 7z / RAR of
1) samples of the suspected malware
2) content of my TEMP that I preserved after the possible infection, and
3) Event Viewer log file from the relevant timespan.
It's 4MB in size total.

Yet it always gives me this error:

"Sorry, an unknown server error occurred when uploading this file.
(Error code: -200)"
How do I upload these to attach them to the topic?
Link to post
Share on other sites

The upload error may be because the files you are trying to upload might be too large.

The installer does appear to be malicious.  The good news is that it does not appear to have infected the system, since it crashed during the install process.

There are a couple of items that should be addressed however.

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

 

HKU\S-1-5-21-3360432786-872523879-788843560-1000\...\Command Processor: IF /I x"%COMSPEC%"==x%CMDCMDLINE% (CD /d C:\) <==== ATTENTION
Task: {0EFC0B26-FEBD-44CF-ABD1-3C85D47FE5B7} - System32\Tasks\{6983A64A-C14B-42D3-80F9-4B18ED4F5109} => C:\Windows\system32\pcalua.exe -a C:\Users\BlackSun\AppData\Local\Temp\jre-8u291-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

 

Link to post
Share on other sites

Thanks for the reply! Glad to hear that, calms my nerves.

Before I continue doing that, some questions:

As for the CMD starting on root C:\, that's my doing. I prefer having CMD start at good old fashioned C:\ root when I open it. Does that mean that, if I want to keep it working that way, I can leave the 1st line out?

What is the other line? Something Java, I assume - what exactly does that do? Just curious before I execute anything. =D
I know that pcalua.exe is the compatibility assistant, and last session, my Minecraft (Java-Edition) crashed for some reason a few minutes in, and had - according to my System event logs - some compatibility settings applied to it. Is that related, possibly?

Link to post
Share on other sites

If the CMD thing is something you did, then you can remove that line from the fix I posted.

The scheduled task is for the JRE installer that should not be present after installation of the Java update has finished.

Link to post
Share on other sites

Ah, thanks! My system's got an uptime of 9 days, currently. Did that possibly get added when installing the update to my Java Minecraft install 3 days ago, and would that be removed / cleaned up by doing a reboot on its own, which we may interfere with? If not, I'll just fire this line off if it has no business being there. ... ah hell, I may just do that anyways. =D

As for the samples - as my placeholder post above states, I was unable to upload them. How do I do that, for your team to have a crack at it (and possibly add the domain it came from to webguard blacklists)?

Link to post
Share on other sites

Alright, here we go, fired it up - log's attached.

And about those samples, where can I provide those, is it still needed? I just had Emsi flag the samples when I let it scan them. That's a file hash detection, correct?

Fixlog.txt

Link to post
Share on other sites

We are detecting this now.  So, your samples should mot be necessary.

If everything seems to be running properly the system should be fine.

Link to post
Share on other sites

Sweet, thanks very much!

Are you going to add the entire domain of the fake website from my original post to be blocked, too? Doing so would prevent any further variants of the same scheme from ever taking root. It is very clever and insidious, "hijacking" search engine results like that, as anyone not knowing better and just looking for files for whatever the <most recent version> of the game is, is bound to be directed to this fake website instead of the real one. Having that blocked right there would be a big win.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...