EZfrags CS:GO Multihack v9.52 [public] - rage/legit. EZfrags CS:GO Multihack v9.52 - rage/legit ylHwWHxqtEA Features: - Triggerbot - autofire or hold key mode,. (Photo source: Pony Strike: Global Offense by ) We recently found (CS: Go) hacks on macOS that is also a trojan that could mine CryptoCurrencies without user consent. According to VirusTotal Retrohunt, the threat is in the wild since the beginning of July 2017. Warning: At the time of this writing, all URLs are live. Vlone.cc The entry point is portal, where a user can, and for free the hack installer. The domain name was registered through eNom in April 2017, 14th, and resolves to a at namecheap: $ dig vlone.cc +short 198.54.115.80 $ dig -x 198.54.115.80 +short server205-2.web-hosting.com. HTTPS certificate was delivered by COMODO PositiveSSL in June 2017, 27th. When logged in, members can browse the page and purchase a premium subscription for 1, 3 or 6 months through: Members download the same archive of the free installer than guests: $ curl -s| shasum -a 256 b1bdb45582f72ad3c86de3dcfa0b3a5f008cb5a018fe - $ curl -s -G -d user=1234 -d free| shasum -a 256 b1bdb45582f72ad3c86de3dcfa0b3a5f008cb5a018fe - According to the user GET query value, members count in August 2017, 22nd, is nearly two thousand. We don’t know if the private installer of the hack also installs the mining software without user consent. Binaries analysis It’s all C++ Standard Library code. Network connections use and secure HTTPS protocol. All executables, but the miner CLI, require super-user privileges, so the user must run the installer with sudo: $./vHook Root access required! ![]() Please type 'sudo./vhook' The main binary hides itself as, an online document scanning platform. VHook vHook is the installer. It is packed with, probably to avoid user analysis and bypass some security products. It is a command line interface: $ sudo./vHook [vlone] vHook public [vlone] Username: USERNAME Password: PASSWORD [vlone] Welcome to vHook Public, USERNAME! [vlone] Downloading vHook assets. [vlone] Inflating vHook assets. [vlone] CS:GO is not running! For information on booking Tusk - Tribute To Fleetwood Mac for a corporate event, personal appearance, corporate entertainment CTI is your booking agency for Tusk - Tribute To Fleetwood Mac to hire at corporate events, conventions, trade shows, or on television and radio commercials. “Fleetwood Mac has always been about an amazing collection of songs that are performed with a unique blend of talents. “We jammed with Mike and Neil and the chemistry really worked and let the band realise that this is the right combination to go forward with in Fleetwood Mac style. Fleetwood Mac last toured in 2009 with the sold out Unleashed Tour. The current lineup includes Mick Fleetwood and John McVie Fleetwood Mac. There are no booking fees for this production. Fleetwood Mac Group Bookings. Booking Information Group Booking enquiry form Enquire here. Fleetwood mac website. For more information on booking Fleetwood Mac, please contact Booking Entertainment. One of our top booking agents will be happy to work on your behalf to get you the best possible price to book any big name entertainer for your upcoming public, private or corporate event worldwide. ![]() [vlone] Cleaning up. [vlone] Quitting. With a valid member account, it downloads and extracts bootstrap.dylib and vhook.dylib from as assets.zip to /Library/Application Support/: $ curl -s -G -d username=USERNAME -d password=PASSWORD -d free| xxd -l 0: 504b 0304 1400 0000 0800 8696 c14a 9c2e PK.J. 00000010: 55c2 b606 0000 1827 0000 0f00 1c00 626f U.' .bo 00000020: 6f74 7374 7261 702e 6479 6c69 6255 5409 otstrap.dylibUT. 00000030: 0003 9cb9 2f59 d339 8059 7578 0b00 0104./Y.9.Yux. It loads bootstrap.dylib from project. If Counter-Strike: Global Offensive is running, it downloads and extracts some fonts ( as vlone.zip to /Library/Fonts/), and injects vhook.dylib into csgo_osx64 process. It could be a perfect deal for a CS: GO user, but it turns out vHook also sneaky downloads and extracts as fonts.zip to /var/, changes directory to /var and runs sudo./helper &. It then kills Terminal application to hide the detached process output. Helper helper is the miner downloader dropper. It is also packed with UPX. It first asks the C&C server for the name of the binary to execute upon download: $ curl -F command=newfile com.dynamsoft.webhelper It downloads as /b.zip, extracts its contents to /var/.log/, changes directory to /var/.log/ and runs sudo./com.dynamsoft.WebHelper &.
0 Comments
Leave a Reply. |