#An inquiry about the 0d exploit from an analytic pov

Red teamer here, just wondering if there will be any official release on information about this binary maybe even handing it to platforms like VT, tria.ge, hybrid analysis, any.run and other security research platforms?

WIll there be any official release on the has, files dropped, locations, maybe a yara rule for those whom want one?

From a security standpoint seeing how a few days ago around 500 - 2k people were compromised (very likely much higher) I dont see why you would keep these cards very close to your chest. I get the point that you are looking into it, can be very bad rep and what not however if there is something to take away it is that this if you give access to the public especially those whom have a genuine interest/capability around these things then I dont see why you wouldnt?

I dont know what is being done behind the scenes, I dont know shit really when it comes to this however I really would like to know. Out of curiosity.

I am NOT saying release the .lua files containg the 0d.

What I am saying is to release any dropped and executed files by this exploit, hashes, paths, whom it might ping etc.

It will do a very great deal for your company, researchers and the community ESPECIALLY those whom are current effected unknowningly.

The sooner EDRs/AV systems have knowledge including the public the quicker yara rules will be written and developments on detections will be implemented.

I love this game, I have no quarms with the development team or whoever is handling this situation this is just my thoughts and feels from a security perspective.

NOTE: THE IMAGE IN THE THUMBNAIL IS NOT TO DO WITH THIS EXPLOIT

What I know:
C:\Users(user)\AppData\Roaming\Microsoft\Network and its a file titled connector.vbs is dropped likely allowing it to be used as a dropping mechanism therefore likely loading a binary from an web address into memory and executing it reflectively if it is .NET/C# helping avoid anti virus dection/siging.

<@&756556556488933526>

I ask that the post isnt closed and remains open for the sake of community safety, interest and potentially support for infected user.

i cannot use markdown so i will bolden it

Expanding on this if there will be any official release on information about this binary maybe even handing it to platforms like VT, tria.ge, hybrid analysis, any.run and other security research platforms?

I would like to add that it should not only be handing out of file hashes but also links to scans w/ the malware binary(s) for public use and easier prevention/repairing of this situation

Youre right here. However pinging Tech Support isnt necessary unless emergency

kind of still is as it is still an active issue despite being patched.

just because steam removed it does not mean the files arent living on machines world wide

and that theyre updated to the latest.

We will not be releasing any files or additional information publicly. We are not an antivirus or security company, we are a video game studio. If any information we release turns out to be incomplete or inaccurate that can cause a false sense of security that could endanger users, and we would be liable for that.

We have confirmed that at minimum 500, and at maximum 2200 unique devices downloaded one of the affected mods. This does not necessarily mean all of those users ran the mod, but it's a good place to start. Anybody who subscribed to one of those mods, or anybody who thinks they may have subscribed to one of those mods should assume their system was compromised and act accordingly.

The best course of action if you are unsure is to do a clean install of your operating system and change your passwords if you believe you may be affected. It is also just good security advice to regularly do this anyway.

As for the dev team - try to avoid such loud terms as "Zero Day Exploit" in the future as many users dont know what that is and start panicking over nothing.

The decision was made as this was a vulnerability that was actually exploited so we felt it better to cause fear than have people assume everything is okay

Safe > Sorry

I commend this reply, I do get youre a game company and not security. All suggested actions are very fair to be recommended and should be done by those asap.

I just hop that if in the future after complete and valid research is done that it is shared even if partially as researches like me are interested in the actions of such a group.

I respect not posting anything due to fears it might be inaccurate or incomplete.

hope*

Please do not think I am asking about the 0d its self.

By all means keep that internal if wanted.

Thank you for the reply and not just closing this post or going on a random one like usual in this day of age! ❤️

Do me a favour though and post any published findings in the future here, id love to known more about this group and the actions theyve taken. ❤️

I am sure others would too 😄

Thats probably not even a group but a single entrepreneur decided to have some accounts stolen or some shit like this

no, people do things like this in groups

especially when leveraging such a lucrative exploit

Groups doesnt target random indie games lol

doing these things by your self is tiring

yes they do

youd be surprised

this 0d is an good example of that...

Not really, no. It just went unnoticed before the consequences

We've received pretty targetted spear phishes, including ones using quite subtle information to look legitimate, though not in a little while

Man, its the same as downloading some shaddy shit in web, or going through random links. The devs cant be held accountable for this thus cant be forced for any actions

As I thought a group is targetting you, I really recommend if you systems like github/labs or whatever that you purge old tokens and keep security inquires tight.

I am not telling you guys how to conduct security but its just my two cents. I trust in your peoples ability especially due to the swift action of the patch.

Who said theyre accountable?

Yeah, our codebase is extremely locked down. I won't explain how for obvious reasons

It isnt their fault, the only way they couldve known is if they diy it and pentest their own systems which I am sure they do. Not everything gets caught and filtered

I am happy the security is good but never say its enough if yk what I mean (microsoft w/ the 360)

You were advising them to share the files and theyre not obligated to tbh. It would be nice thing to share it with InfoSec, but theyre cant be forced to do so

The files I mean hash, dropper etc

Can only as much cheese as we can do

yeah thats fair.

I dont expect you guys to catch everything anyway.

It is a principle of mine to always treat anything as not 100% valid in integrity so I hold that when looking at others so i cannot blame you at all.

worded a little weird but i think yk

Our guys look for vulnerabilities, and we gladly accept reports, but Big old messy codebase is Big old and messy. Refactors happening, but priority is making a game, not perfect software

yes ofc

and I am happy you guys do your part in pentesting your own systems

ofc with old codebases it can be messy and hard especially with refactoring and what not.

I am sure though if you guys needed too or wanted to or whatever the reason may be the community will happy and liekly gracefully accept you guys taking whatever time or delays to releasing updates/fixes if it means a better and cleaner base. I know it isnt easy especially due to the sheer size of this game but even if its a small small percent, ever little helps as tesco says.

No system is invulnerable, ever. Always some way in. Just gotta be harder than it's worth

not trying to shit on anything you guys doing an amazing job espcially right now.

indeed and unfortunately advisaries just have the time and resources that some just od not have or get even if theyre a massive buisness

look at apple recently

ios 18's darksword exploit

i get it and you guys are doing a good job, believe me.

I expect LLMs to make things worse, tho we don't use them

LLM analysis honestly can be helpful as even EDRs and windows defender incorporates these into their detection algorythms so I wouldnt phase it out completely

Infact seeing recent news head lines it could be beneficial especially the power some models truely have

like claude.

It is up to you to use them however I wouldnt use them > human researchers

the experience cannot be replaced with time.

I also am not sure if it economically viable for the company due to the small scale, I am not knowing on the finaces of this buisness so I have no say. At all...