DEV Community: Oggetto

FiveM RAT Analysis

Oggetto — Sun, 11 Aug 2024 09:37:01 +0000

Analyzing the FiveM RAT: A Comprehensive Overview

Introduction

A few months ago, I published a repository detailing the analysis of a Remote Access Trojan (RAT) discovered in multiple FiveM server resources so I decided to make a blog post about that.

Warning: The code discussed in this post is malicious and should not be used under any circumstances. This analysis is provided strictly for educational purposes.

RAT Features

Remote Code Execution (RCE)

The RAT operates through multiple stages:

Stage 1: Downloads the second stage from a remote server.
Stage 2: Continues by fetching the third stage from the server.
Stage 3: Retrieves the fourth stage, maintaining the infection process.
Stage 4: Establishes a persistent connection with the remote server, awaiting further commands.

Between Script Communication (BSC)

The RAT also registers handlers for events triggered by other RAT instances, allowing it to bypass detection by communicating between scripts.

Additional Findings

During a deeper investigation into an infected VPS, I discovered that the hosts file had been modified to block access to many common antivirus websites. This was likely done to prevent the server from being scanned and detected by antivirus software.

Prevention Strategies

To protect your server from such threats, consider the following measures:

Avoid Downloading Leaked Resources: Only use trusted sources for server resources.
Keep Your Server Updated: Regular updates can patch vulnerabilities that may be exploited by attackers.
Implement a Firewall: A firewall can block unauthorized access to your server.
Use a Web Application Firewall (WAF): WAFs provide an additional layer of protection for web applications.
Install Reliable Antivirus Software: Ensure your server is equipped with strong antivirus protection.
Monitor for Suspicious Activity: Regularly check your server for any unusual behavior.
Review Your Resources: Periodically inspect the code in your resources for any suspicious modifications.

Mitigation Measures

After identifying the RAT, I implemented several mitigation steps:

IP Blocking: I added the IP address of the malicious server to the firewall blacklist, cutting off communication with the RAT's host.
Domain Blocking: The RAT's domain was blocked in the hosts file, preventing it from communicating with the remote server even if the IP address was changed.
Code Removal: The malicious code was deleted from the affected resources, and the server was restarted to halt further execution.

Recent Developments

March 28, 2024: The first instance of this RAT was discovered.
March 29, 2024: A second instance was found, using a different domain for its backdoor: thedreamoffivem[.]com

By staying vigilant and employing strong security practices, you can help protect your FiveM server from similar threats.

Tables SUCK and this is WHY

Oggetto — Mon, 06 Nov 2023 22:22:42 +0000

Hi everyone after a WEEK of debugging code I found out that assigning a table to a variable in lua, js, ruby and many other languages creates a reference to the original table instead of creating a copy.

This means that every time you edit the new variable it actually edits the original table.

How can I create a copy? (Lua)

To actually create a copy you need to do this:

local myTable = {}
for k, v in pairs(myOtherTable) do
    myTable [k] = v
end

PS: Please note that this will create shallow copies, which means only the top-level elements will be copied. If the original table contains nested tables (subtables), those subtables will still be referenced by both the original and the copied table.

In my case

This occurs even when saving a subtable so even with something like local myTable = myOtherTable[a][b] will reference the table and not copy it

REMEMBER THIS, don't be like me and spend more than 10 hours on something as stupid as this.

Toggle God Mode in browsers

Oggetto — Sun, 10 Oct 2021 13:41:37 +0000

Instead of typing

document.designMode = "on"

document.designMode = "off"

in the console for every page you want to edit (like this)

You can create a bookmark to toggle it with just one click!

To make this it's easy:

Right click on your bookmark bar
Click add page
Name it whatever you want
And just paste this in the link section:

javascript:((d,o,m)=>{d[m]=d[m]!==o?o:"off"})(document,"on","designMode");