cybertr0nian 0 Posted October 14 Share Posted October 14 Hi I'm cybertr0nian, This is my first post here, I read the forum rules, still hope I understood them correctly. It's gonna be a long one, bear with me. :) I'm a cybersecurity enthusiast trying to switch careers and get into cybersecurity. So I've taken a lot of effort into building my knowledge (made a lot of progress, but still ongoing) and learning new things. I hope there are some really experienced guys here that may share a little bit of their perspective. I have a healthy level of paranoia when it comes to cybersecurity, I know we have to of course stay mindful of false positives and the like and not jump to conclusions. Still I'm posting this to share my thought process and perhaps you can help me verify if my thoughts are correct here. Background of the issue I seldom play online games these days, usually on a cloud system separate from my main system. I was trying to be social for once ;) as a friend invited me to play a game online, yet my steering wheel was not recognized by my cloud VM. Usually it is, but this time it malfunctioned (not correctly forwarding the drivers) and it was taking to long so I thought okay for once I'll install on my local machine. So I installed Steam and the game Assetto Corsa (an old racing simulator several friends play, it has forgiving system requirements). My friend told me there is a mod that's really useful, he and all the other guys are using this constantly to improve the graphics and add in-game content. I'm familiar with playing modded games from back in my high school days, so I thought okay why not, even though I'm usually skeptical of deviating from the source game due to security considerations. So I downloaded the Assetto Corsa "Content Manager" an executable file. I scanned it thoroughly with ESET Internet Security 17.2.8.0 and MalwareBytes Premium. No issues were detected. So far so good. The Content Manager seemed to work fine and made the game run more efficient (skipping unnecessary credits etc). So what happened then? Consequently, while running and interacting with Content Manager all of the sudden I get several popups showing up (ESET was set to Balanced detection & protection settings at the time), see the images I attached below. I'm aware of course you guys can't support MalwareBytes, but just adding it for reference so you see not just ESET but both Endpoint Protections are noticing malicious/abnormal behavior here, adding to my hypothesis that this is malicious. I investigated further into these IP addresses it seems to connect to. I didn't do them all yet but at least the one ESET found appears to be malicious according to Virustotal. See below. Furthermore, the IP addresses Malwarebytes found seem to connect to Tencent Cloud Computing and appear to connect to a command & control server! That report of it being a C2 server os from July 2024, so fairly recent this year! What the heck. I just wanted to play a stupid game.. What else happened? As you can imagine at this point, I was beginning to feel mildly uneasy. I checked the Task manager for strange processes and I was shocked to see that, while I NEVER use Microsoft Edge, there were 7 Edge processes running all of the sudden. As time progressed (~10 minutes) this increased to 24 processes, see image below. What the heck? How did I remediate? Fortunately I always run a back-up every so many days. 1. The first thing I did was delete the Content Manager.exe (it was the only file). As well as the entire Steam folder. I also disconnected the internet connection. 2. I scanned the entire system at this point, both with ESET and MalwareBytes with aggressive detection settings. But everything seemed to be okay, no detections. 3. I assumed as there only seem to have been made connections made outwards (that were blocked by ESET and MalwareBytes) that there is likely no malware present. Still, that Edge process thing remains weird. 4. So be sure I wiped my C:\ drive, did a full disk encryption and then wiped it again. So absolutely nothing remains, as it is encrypted and the encryption keys are then deleted. I also have a second drive. But this case I think refers to a Trojan and I believe they can't self replicate like a virus does (correct me if I'm wrong, but the lack of detections seems that the executable was the main file doing the connecting.) 5. I restored the C drive from a state weeks back and everything is running smoothly again with minimal loss of data. The Edge process thing has not reoccurred. My question to you is, is my reasoning correct here? At first I thought false positive, but I still thought let's investigate.. And then all the above showed up. Thanks for reading this far and for your thoughts on this matter. Have a great day! --Cybertr0nian Quote Link to comment Share on other sites More sharing options...
cybertr0nian 0 Posted October 15 Author Share Posted October 15 Any ideas or feedback anyone on what you think could be going on here? Quote Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 15 Share Posted October 15 (edited) On 10/14/2024 at 5:28 PM, cybertr0nian said: So I downloaded the Assetto Corsa "Content Manager" an executable file. CrowdStrike Falcon dynamic sandbox analysis finds the downloaded zip archive malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/19b973dc9840eb085b625412174bbc674669f46e436e6b658e9e46e4eaaf0c89 . Content Manager.exe is the maiicious object: https://www.hybrid-analysis.com/sample/2367612db7c754bf4f07a0f71188c0cc7ed0e39bef12b7dc3f4af3d0b3ec5bd4 . Edited October 15 by itman garioch7 and cybertr0nian 2 Quote Link to comment Share on other sites More sharing options...
daniel keith 0 Posted October 19 Share Posted October 19 On 10/16/2024 at 7:35 AM, itman said: CrowdStrike Falcon dynamic sandbox analysis finds the downloaded zip archive malicious with a 100/100 confidence factor: https://www.hybrid-analysis.com/sample/19b973dc9840eb085b625412174bbc674669f46e436e6b658e9e46e4eaaf0c89 . Content Manager.exe is the maiicious object: https://www.hybrid-analysis.com/sample/2367612db7c754bf4f07a0f71188c0cc7ed0e39bef12b7dc3f4af3d0b3ec5bd4 . https://www.virustotal.com/gui/file/2367612db7c754bf4f07a0f71188c0cc7ed0e39bef12b7dc3f4af3d0b3ec5bd4 That file looks clean. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.