Malware Investigation - Cipher UPDATE 10/09

nit34byte

Chocolate CEO
Staff member
Administrator
Jun 20, 2021
935
129
1,390
localhost
www.lynxcollective.ltd
Dear community,

We got some news about Cipher Panel. Today we are going to expose everything we found about this group of h4xors

What/Who is Cipher?
Cipher is a group of French kids that released a paid service with a cheat/virus that can be injected or loaded remotely into vulnerable servers. attacking servers in exchange of money

What Cipher can do?
Cipher is able to access all of your server data, including server sided resources, database, server.cfg and Convars (rcon_password,steam_apikey,database password).


How their backdoor works?
It's pretty simple. They add their payload into cracked or leaked resources and wait for victims OR they abuses vulnerable resources such as vrp_basic_menu,esx_kashacters,runcode

Does ChocoHax protect me from this?
ChocoHax will include a dedicated scanner for vulnerable resources or backdoors on your server, you will be alerted if something is wrong on your server.

Our investigation:

We found Cipher backdoor in many many resources
You can be infected by downloading or purchasing resources from unauthorized resellers or leak discords.
To make their backdoor persistent they also inject a new backdoor in a different resource (as backup)

We found the vulnerability in a cracked and edited version of doors (We are not going to post the source code, credits to ModFreakz for the original resource) and in various default resources (chat,sessionmanager,rconlog,etc.)


Their backdoor looks like this : Pastebin > Backdoor

Explaination: The code above is going to call a native PerformHttpRequest on the url: https://cipher-panel.me/_i/r.php?to=0
Cipher Panel GET Request Link
Token (UserID of the cheater that infected your server)


The code above will Load the content of the GET Request Pastebin > Beautified

We deobfuscated the stuff we needed to understand what the backdoor does...
As you can see this file will send your server data, including
IP,RCON_PASSWORD,STEAM_APIKEY
Checking for your server type using started resources
and...
Accessing your database without any problem.

I hope FiveM and the big ones will take actions after our investigations and helps us to make this game better.