Cyble-Blogs-Modified-FiveM

Modified FiveM Spoofer Targeting Gamers   

Threat Actor Leveraging Discord Channel to Spread Malware

Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families such as stealer, proxyware, among others.

Recently, CRIL identified a malicious site hxxps://cloud-spoofer[.]xyz, which redirects the user to a discord channel where the announcement is made by the Threat Actor (TA) for selling the spoofer to get unban from FiveM. The FiveM is the mod project that allows gamers to play Grand Theft Auto V (GTA5) with custom multiplayer modes on customized dedicated servers.

Figure 1 – Malicious site redirects the user to a Discord server

Usually, the FiveM bans the players for a period of time whenever a gamer is suspected of cheating. Gamers use Spoofer tools to get unban from the platform and continue playing the game.

Figure 2 – TA’s Discord server selling spoofer

The above image shows that this Discord server was created on September 2022. Since then, TA has started selling Cloud Spoofer for 20-60 Euros based on user requirements. The TA has mentioned the price details for Cloud Spoofer in the “prices” section, as shown in the below figure.

Figure 3 – Pricing list for Cloud Spoofer product

Additionally, while investigating the TA’s Discord server, we observed that TA is offering a giveaway where the Discord channel members have to create a YouTube or TikTok video, mentioning the TAs discord channel link in the video description. This is a clever way of promoting the discord channel and also infecting a maximum number of users.

Figure 4 – Giveaway post on TA’s Discord server

Along with the giveaway offer, the TA has also offered instant unban FiveM and provided a YouTube link in the verify section of the discord channel. To avail offer, the user has to subscribe to the TA’s Youtube channel, as shown in the figure below.

Figure 5 – TA offering instant unban FiveM

The TA has provided the free spoofer link in the YouTube video description, where users can visit and download it.

Figure 6 – Free spoofer link provided by TA on YouTube video description

After visiting the link provided in the description, the user will be prompted to subscribe to the YouTube channel and like the video to get the download link, as shown in the below figure.

Figure 7 – Free spoofer site to get a download link

Once the user unlocks the download link, the site downloads a .rar file named Fivem_Spoofer.rar. The downloaded RAR contains a .exe file named Cloud Free.exe, a modified spoofer that downloads malicious files from the following links.

  • hxxps://cloud-spoofer.xyz/AnyDesk[.]exe
  • hxxps://cloud-spoofer[.]xyz/GameOverlayUI.exe
Figure 8 – Free spoofer link downloading malware

Interestingly, multiple users have posted screenshots of the subscribed Youtube channel to verify themselves to get the instant unban FiveM after TA’s offer post. This indicates that the users who have posted the screenshot might have been the victim of this malware.

Figure 9 – Users shared screenshots of subscribed youTube channel

Technical Analysis

Our analysis indicates that the TA has modified the spoofer tool and added extra code to download malicious files from the remote server.

Upon execution, the Cloud Free.exe file shows the following UI, allowing the user to enter the choice for performing several tasks such as spoofer, cleaner, global ban, etc.

Figure 10 – Malware displays different choices to execute the task

While asking for a choice, In the background the modified spoofer silently installs additional malware from the remote server, saves them in the programData location, and executes them in the user’s machine, as shown in the figure below.

Figure 11 – Modified spoofer silently installs other malware

When victims enter the choice in the tool, it performs the corresponding task and also downloads malicious files parallelly, as shown in the figure below.

Figure 12 – Modified spoofer downloading malicious file after executing selected task

Our investigation shows that the modified spoofer downloads AsyncRAT malware from the URL hxxps://cloud-spoofer.xyz/AURLesk[.]exe. The AsyncRAT is a Remote Access Trojan (RAT) that allows TAs to control the victim’s machine. The functionalities of RAT include viewing and recording the victim screen, capturing keystrokes, shutdown/Restarting the machine, uploading, downloading, and executing files, etc.

The spoofer also downloads a stealer from the URL hxxps://cloud-spoofer[.]xyz/GameOverlayUI.exe, which steals browser-sensitive data from the victim’s machine.

Conclusion

The video game industry has been around for a very long time and has over 2 billion gamers worldwide. People in different countries choose gaming as a career and use different tools to play high-quality games. The increase in the number of gamers has attracted various malicious actors. The TA keeps finding new ways to target gamers using different malware. 

According to our research, the TA uses different tricks to promote and spread the malware disguised as FiveM Spoofer. The TA is targeting GTA5 players who are using FiveM by distributing AsyncRAT and stealer malware. Gamers should be careful of such suspecting Discord servers and avoid downloading any tool from an untrusted source.

Our Recommendations

  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Keep updating your passwords after certain intervals.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1204User Execution
CollectionT1005Data from the Local System
Credential AccessT1555Credentials from Password Stores
DiscoveryT1082System Information Discovery
ExfiltrationT1041Exfiltration Over C&C Channel 

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
f161af9b9caec7e99e85f924a4161514929b0b6ab176f66555cdb3274d5ca633SHA256Hash of the analyzed rar file
f3991147e742ba18a277f06900d3a9f73a471479SHA1Hash of the analyzed rar file
2994e21b35be95d056130e28f2aaca4fMD5Hash of the analyzed rar file
205ed7d1eef37774c1b4499eec76b796f41edd256ac2e441afe3b0e144ef3f46SHA256Modified Spoofer Hash
ea52d2b743934c1d22d1994f98732ddc86001d3dSHA1Modified Spoofer Hash
7f4ec1579a0d3d05225226ad2321dcd3MD5Modified Spoofer Hash
079b1480ebabfb06545ce9723616f8fd02640cca2ff2e300255509e28ae9db8bSHA256AsyncRAT Malware Hash
a51a3c3aec182eb8cfd052eac0f56b31eaada03cSHA1AsyncRAT Malware Hash
67a7ebbc7c94ed3fbaad5cdac96a7997MD5AsyncRAT Malware Hash
b041a434b7700cdaa563c018c7d84e53a2f4ca98260518a15031dd44f65decd1SHA256Stealer Malware Hash
54ef9f572a21698112107d1980c0a59fe68c4a16SHA1Stealer Malware Hash
f107bc215564928d5f76070f1686932bMD5Stealer Malware Hash
hxxps://cloud-spoofer[.]xyzURL Malicious site

 

Recent Blogs

BATLoader-RATs-Stealers-OneNote

Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »
Qakbot-Microsoft-OneNote

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top