Jump to content

Recommended Posts

Posted (edited)

Hi ESET community,

I wanted to share a suspicious behavior I've been tracking with ESET NOD32:

🔍 What's happening:

  • About 1.5 months ago, I installed Rave app for watching movies together
  • Since then, getting daily ESET warnings about unwanted/malicious URLs
  • Each time different URLs
  • Tried full system scans with 3 different antiviruses - nothing detected
  • While I'm not actively using Rave anymore, discovered it runs at startup and works in background constantly

🛠️ Investigation: Since ESET doesn't show which process makes these connections (maybe there is a way to check this in ESET, but I didn't find it, so it was easier to write a script), I wrote a Python script to monitor outgoing connections. It finally caught the culprit - rave.exe making connection to kaminari.systems (31.220.27.154).

⚠️ Suspicious behavior pattern:

  • Process: rave.exe (from Rave official website - watch together app)
  • Runs automatically at Windows startup
  • Stays active in background even when not in use
  • Frequency: ~1-5 suspicious connections per day (only those ESET detects, real number could be higher)
  • Different ad-related URLs each time
  • Seems to be generating fake ad traffic for advertisers. Or even ddos.

Has anyone else encountered similar behavior with Rave app? This looks like they're secretly using users' computers for ad fraud operations.

I can provide more details if needed.image.thumb.png.6ea0b5753932dd4e5e2172b2c4fc51bc.png

P.S. Added a screenshot of the connection log showing network activity, including the connection to kaminari.systems (IP highlighted in yellow). The log shows rave.exe making multiple connections while running in the background, with the suspicious IP address (31.220.27.154) among them.

Edited by Denis S
Posted
18 minutes ago, Denis S said:

Hi ESET community,

I wanted to share a suspicious behavior I've been tracking with ESET NOD32:

🔍 What's happening:

  • About 1.5 months ago, I installed Rave app for watching movies together
  • Since then, getting daily ESET warnings about unwanted/malicious URLs
  • Each time different URLs
  • Tried full system scans with 3 different antiviruses - nothing detected
  • While I'm not actively using Rave anymore, discovered it runs at startup and works in background constantly

🛠️ Investigation: Since ESET doesn't show which process makes these connections (maybe there is a way to check this in ESET, but I didn't find it, so it was easier to write a script), I wrote a Python script to monitor outgoing connections. It finally caught the culprit - rave.exe making connection to kaminari.systems (31.220.27.154).

⚠️ Suspicious behavior pattern:

  • Process: rave.exe (from Rave official website - watch together app)
  • Runs automatically at Windows startup
  • Stays active in background even when not in use
  • Frequency: ~1-5 suspicious connections per day (only those ESET detects, real number could be higher)
  • Different ad-related URLs each time
  • Seems to be generating fake ad traffic for advertisers. Or even ddos.

Has anyone else encountered similar behavior with Rave app? This looks like they're secretly using users' computers for ad fraud operations.

I can provide more details if needed.image.thumb.png.6ea0b5753932dd4e5e2172b2c4fc51bc.png

P.S. Added a screenshot of the connection log showing network activity, including the connection to kaminari.systems (IP highlighted in yellow). The log shows rave.exe making multiple connections while running in the background, with the suspicious IP address (31.220.27.154) among them.

https://www.virustotal.com/gui/file/b790648effc782fe346eb293f3d9924f79e0ab80bd2c14055c0731ca41221ef2

  • Administrators
Posted

This forum is not a channel for reporting and analyzing malware. The file in question is ~150MB is size, its' popular, requires FFmpeg. Doesn't look like malware. You can, however, report it to ESET by following the instructions at https://support.eset.com/en/kb141.

Posted (edited)

Comodo give one possible explanation for what you might have installed;

Quote

What is Rave.exe ?

Rave.exe is a legitimate process file popularly known as Corel Graphics Applications. It is associated with Corel Graphics Application, developed by Corel Corporation. It is located in C:\Program Files by default.

Malware programmers write virus files with malicious scripts and save them as Rave.exe with an intention to spread virus on the internet.

https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Rave

Submit rave.exe to CrowdStrike for a malware scan: https://www.hybrid-analysis.com/ .

Edited by itman
Posted

As mentioned, Rave was installed from the official website. I've attached the ESET event log. As you can see, some URLs contain offer_id and affiliate_id parameters, which indicates traffic arbitrage activities by Rave for monetization purposes. All these events were recorded while Rave was running in the background, and as I said, I haven't been using it during this period.

Moreover, considering there haven't been any detections during all this time despite the large user base, uploading it to https://www.hybrid-analysis.com/ probably won't change the situation. These URL connections are quite rare, and it's unlikely that such behavior would occur during the exact moment of analysis.

P.S. The app's popularity doesn't exclude the possibility of such "grey" monetization practices by this service.

 

Sample of ESET detection log (last 2 months):

1. Advertising/tracking domains:
- nonstopoffers.live (Multiple hits, PUA blacklist)
- feed.rexadvert.xyz (PUA blacklist)
- cpmrevenuegate.com (Anti-Phishing blacklist)
- excitedgiraffe.cc (Internal blacklist)
- s.pemsrv.com (PUA blacklist)
- phgotof1.com (PUA blacklist)
- kaminari.systems (PUA blacklist)

2. Example of traffic arbitrage URL pattern:
hxxp://redirect.appleads-trk.com/clk.php?offer_id=44623699&aff_id=2748&aff_sub1=6729f13485b5a60001d886ab&source_id=35...

3. Key observations:
- All connections initiated by: C:\Users\...\Programs\rave-desktop\Rave.exe
- Status: All blocked by ESET
- Detection types: PUA blacklist, Anti-Phishing blacklist, Internal blacklist
- Timing: Connections occur at random intervals throughout the day
- Multiple different domains but similar behavior pattern

filtered_records.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...