Denis S 0 Posted November 5 Posted November 5 (edited) Hi ESET community, I wanted to share a suspicious behavior I've been tracking with ESET NOD32: 🔍 What's happening: About 1.5 months ago, I installed Rave app for watching movies together Since then, getting daily ESET warnings about unwanted/malicious URLs Each time different URLs Tried full system scans with 3 different antiviruses - nothing detected While I'm not actively using Rave anymore, discovered it runs at startup and works in background constantly 🛠️ Investigation: Since ESET doesn't show which process makes these connections (maybe there is a way to check this in ESET, but I didn't find it, so it was easier to write a script), I wrote a Python script to monitor outgoing connections. It finally caught the culprit - rave.exe making connection to kaminari.systems (31.220.27.154). ⚠️ Suspicious behavior pattern: Process: rave.exe (from Rave official website - watch together app) Runs automatically at Windows startup Stays active in background even when not in use Frequency: ~1-5 suspicious connections per day (only those ESET detects, real number could be higher) Different ad-related URLs each time Seems to be generating fake ad traffic for advertisers. Or even ddos. Has anyone else encountered similar behavior with Rave app? This looks like they're secretly using users' computers for ad fraud operations. I can provide more details if needed. P.S. Added a screenshot of the connection log showing network activity, including the connection to kaminari.systems (IP highlighted in yellow). The log shows rave.exe making multiple connections while running in the background, with the suspicious IP address (31.220.27.154) among them. Edited November 5 by Denis S Quote
Denis S 0 Posted November 5 Author Posted November 5 18 minutes ago, Denis S said: Hi ESET community, I wanted to share a suspicious behavior I've been tracking with ESET NOD32: 🔍 What's happening: About 1.5 months ago, I installed Rave app for watching movies together Since then, getting daily ESET warnings about unwanted/malicious URLs Each time different URLs Tried full system scans with 3 different antiviruses - nothing detected While I'm not actively using Rave anymore, discovered it runs at startup and works in background constantly 🛠️ Investigation: Since ESET doesn't show which process makes these connections (maybe there is a way to check this in ESET, but I didn't find it, so it was easier to write a script), I wrote a Python script to monitor outgoing connections. It finally caught the culprit - rave.exe making connection to kaminari.systems (31.220.27.154). ⚠️ Suspicious behavior pattern: Process: rave.exe (from Rave official website - watch together app) Runs automatically at Windows startup Stays active in background even when not in use Frequency: ~1-5 suspicious connections per day (only those ESET detects, real number could be higher) Different ad-related URLs each time Seems to be generating fake ad traffic for advertisers. Or even ddos. Has anyone else encountered similar behavior with Rave app? This looks like they're secretly using users' computers for ad fraud operations. I can provide more details if needed. P.S. Added a screenshot of the connection log showing network activity, including the connection to kaminari.systems (IP highlighted in yellow). The log shows rave.exe making multiple connections while running in the background, with the suspicious IP address (31.220.27.154) among them. https://www.virustotal.com/gui/file/b790648effc782fe346eb293f3d9924f79e0ab80bd2c14055c0731ca41221ef2 Quote
Administrators Marcos 5,468 Posted November 5 Administrators Posted November 5 This forum is not a channel for reporting and analyzing malware. The file in question is ~150MB is size, its' popular, requires FFmpeg. Doesn't look like malware. You can, however, report it to ESET by following the instructions at https://support.eset.com/en/kb141. Quote
itman 1,807 Posted November 5 Posted November 5 (edited) Comodo give one possible explanation for what you might have installed; Quote What is Rave.exe ? Rave.exe is a legitimate process file popularly known as Corel Graphics Applications. It is associated with Corel Graphics Application, developed by Corel Corporation. It is located in C:\Program Files by default. Malware programmers write virus files with malicious scripts and save them as Rave.exe with an intention to spread virus on the internet. https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Rave Submit rave.exe to CrowdStrike for a malware scan: https://www.hybrid-analysis.com/ . Edited November 5 by itman Quote
Denis S 0 Posted November 5 Author Posted November 5 As mentioned, Rave was installed from the official website. I've attached the ESET event log. As you can see, some URLs contain offer_id and affiliate_id parameters, which indicates traffic arbitrage activities by Rave for monetization purposes. All these events were recorded while Rave was running in the background, and as I said, I haven't been using it during this period. Moreover, considering there haven't been any detections during all this time despite the large user base, uploading it to https://www.hybrid-analysis.com/ probably won't change the situation. These URL connections are quite rare, and it's unlikely that such behavior would occur during the exact moment of analysis. P.S. The app's popularity doesn't exclude the possibility of such "grey" monetization practices by this service. Sample of ESET detection log (last 2 months): 1. Advertising/tracking domains: - nonstopoffers.live (Multiple hits, PUA blacklist) - feed.rexadvert.xyz (PUA blacklist) - cpmrevenuegate.com (Anti-Phishing blacklist) - excitedgiraffe.cc (Internal blacklist) - s.pemsrv.com (PUA blacklist) - phgotof1.com (PUA blacklist) - kaminari.systems (PUA blacklist) 2. Example of traffic arbitrage URL pattern: hxxp://redirect.appleads-trk.com/clk.php?offer_id=44623699&aff_id=2748&aff_sub1=6729f13485b5a60001d886ab&source_id=35... 3. Key observations: - All connections initiated by: C:\Users\...\Programs\rave-desktop\Rave.exe - Status: All blocked by ESET - Detection types: PUA blacklist, Anti-Phishing blacklist, Internal blacklist - Timing: Connections occur at random intervals throughout the day - Multiple different domains but similar behavior pattern filtered_records.txt Quote
itman 1,807 Posted November 5 Posted November 5 Refer to this Reddit posting: https://www.reddit.com/r/RaveApp/comments/1f3vg2z/malware_on_rave/ . Eset not the only AV vendor detecting malware/suspect network activity from it. If you still believe rave.exe is safe, you can create an Eset detection exclusion for it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.