Fake OBS Studio Hack Targeting YouTubers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I'm using OBS or the open broadcaster studio to record this video right now every single YouTuber or content creator that I talk to they tell me that they use OBS to record their videos and just yesterday moodahar from some ordinary gamers released a video called Google is putting YouTubers in danger and in that video he showcased a Google advertisement one of the Google ads that gets promoted and ranked to the top of Google results showcasing and sharing a advertisement and a link to a fake malicious scam website where you might download what looks like OBS or the open broadcaster Studio however it is not the OBS open broadcaster Studio it is in fact information stealing malware that hackers are going to use to steal your passwords to seal your credentials maybe credit card information anything present in your browsing sessions and secrets in this video I want to expand what mudahar showcased in his video further at just a little bit and hopefully get some cool Show and Tell to discuss what this really does and how you can better prevent yourself or protect yourself from it and you know what hey let's play with this thing let's fire it up let's see if we can detonate this let's get this malware running in a dedicated Dynamic analysis sandbox so we can better understand what it is in fact doing so hopping on my computer screen mudahar was able to actually see the Google ad that served this right at the very very top of Google results when he entered OBS download now at the time recording I'm not able to actually see this come through I get the result for the legitimate actual in fact OBS Studio not the malicious software however we could see from moodahar's video that that link is at OBS strms w-i-e-v Dot site or obstrem's weave Dot site I don't know however you want to really really pronounce that but note that this is OBS Studio website as you might expect it to look like if you went to the actual OBS project.com where you could naturally download the real OBS software interesting thing obviously if I put these side by side they look identical because they basically are granted you trying to download a link from the legitimate and real OBS studio will give you what you were expecting in trying to navigate to any specific links over on the left hand side going to the malicious evil and nefarious website kind of a funny thing absolutely every single link is a link to their download uh in fact you can see it I don't know if you notice at the very very bottom left pointing in the wrong way because the camera's mirrored uh it is actually trying to pull down from Discord CDN the Discord Cloud delivery Network it's gonna fire up some attachment that some strange little Skitty could just slap into Discord and then make it accessible to download anywhere from anyone but again I'm hovering over the download link or their blog or their help file or their Forum or their contribute button and it's always going to give me that even if I were to select a Mac OS or Linux the socials just refer back to this specific page but if you scroll down to the footer I think it's hysterical even their privacy policy open Collective patreon yada yada everything links to their download here now I can go ahead and click on this download the file here and oop I actually see guardio getting in the way of it fantastic I appreciate them doing that hey by the way for some added context um this story in this conversation I did see actually shared from bleeping computer another news Outlet that's talking about this sort of thing Google ads and Google advertisements being used to promote or showcase malware or Mouse Bim or phishing websites or things that an innocent victim might fall and pray to oh actually have their information stolen from malware very very cool in the reporting that bleeping computer did they actually took in some insight from Trend Micro alongside guardio or guardio labs and huge Kudos and credit to guardio I'm using their blocker here and their browser extension guardio is a fan of the channel and I appreciate their support and that's why hey they actually had a trigger on fire off there but did want to give a little bit of point in uh some Fanfare I appreciate guardio being able to track this thing down for us just as well anyway let's get back to it and let's actually allow this file so we can go ahead and play with it that should finish downloading there and I don't know if you notice but this thing is a 120 megabytes in size thanks cardio appreciate it check it out inside of my downloads folder the file itself is 120 megabytes that's the zip file but if you actually take a look at the contents of the zip file you have the executable installer itself again masquerading and faking the OBS or open broadcaster Studio software that's at 462 megabytes which is massive uh 75 percent compression ratio and this about folder just has a whole lot of admx files random stuff uh ultimately this makes for what I don't know 3.0 Megs yeah 3.10 megabytes nothing really big uh again just even in the other folder I I feel like this is just used for Junk I don't think this actually does anything or is included within the installer process anyway that's not something that you see when you download the legitimate and real OBS installer now in mudahar's video he did run this file through and scan it with Microsoft Defender the native natural and inherent Windows antivirus software the one that's freely available on all modern Windows operating systems and at the time Windows Defender Microsoft Defender whatever didn't get any hits it didn't trigger it didn't flag this file as malicious because hey you know maybe there just aren't signatures or heuristics or whatever sample information out at the moment because hey this is a new thing being out pushed into the wild it is important to note in my opinion that the reason the file size is so large when we're seeing this executable like over 400 Megs is because it's very very common for information Stealers or Redline specifically the red line Steeler that we might be dealing with here to just fill up and bloat and add in lots of padding within the file in the binary itself so that other kind of automated solutions to do security analysis to determine whether or not this file is malicious or not like a Sandbox to test and explore this malware in or some Dynamic analysis solution the file's too big and it overwhelms it and it will not be as easily scanned and worked with that's why hey you'll see this giant file that isn't really the size that it needs to be for the legitimate natural real OBS installer and let me show you that in action by the way here I am online at app.ne.run the online tool for a whole lot of dynamic analysis and running malware inside of a Sandbox if I want to go ahead and create a new task let's say oh sweet uh anyone is super duper generous and is willing to let me play with their Hunter subscription uh the kind of the top two here so I can amp this up to like 64-bit Windows 10 hey a whole lot of maximum time to be able to play with this but if again I wanted to upload this file as I have just downloaded it even the compressed zip archive file the one that we downloaded from the malicious website is 120 megabytes and larger than 100 megabytes something that anyone is unwilling to work with now that's not to say that some of that analysis is just straight up impossible again in mudahar's video he brings this file and uploads it to virus total one of those super common hey very very well known analysis websites where it might be able to actually test this file against multiple antivirus engines and he finds that oh wow the of course original intended legitimate OBS installer has zero hits It's not malicious however the found malware file given from this scam Google ad that pops up does have a couple hits again being Redline stealer granted he did end up uploading the zip archive again which I would want to go explore what is the exe file flag uh if I actually try to go through both of these it's interesting I actually get one thing no hits on the executable and when I go take a look at the zip file that actually is going to be a different hash than what he received which leads me to believe oh they might be actually swapping out and changing what they are serving as time goes on as things get flagged things get Tracked Down they're going to keep up the hackers increasing their campaign here and hey another thing that's important to note here uh Redline stealer and information stealing malware just like this is super duper common it's not new it's not novel uh we've been writing about it and sharing research and other information and threat intelligence about it for quite a long time and I actually hate took a look at it in another video one that I released previously a couple months back where I received a phishing email even through like like a YouTube copyright scam uh where I were to download and play with and actually review some a document but instead was staged to be malware that might steal credentials and potentially gain access to hack my YouTube Channel there's a video folks are interested in that but in that video because I couldn't upload this thing to any run or do some Dynamic analysis because that's what I prefer like I'm lazy I just kind of want to see oh what does it do without hooking up all the wires and doing the operation surgery myself right in that video we did do some assists with like procmon or process Explorer stuff that you might be able to play with in the CIS internal suite for some simple poor man analysis uh in this video again I hate a little bit lazy I did have a thought I had kind of maybe a clever thing what if I could just use the any run sandbox to go download this sample because it is still open on the internet right now I'm not going to give any run to the uh uploading that file I'll have it downloaded and you work with it itself stop before we go any further in today's video please allow me to fulfill a contractual obligation and let's roll today's sponsorship promo developers are constantly changing the digital landscape but building secure software isn't always easy especially in growing applications worked on across massive teams companies end up with mountains of code and they have to make a choice stay competitive or stay secure but with sneak you don't have to choose sneak helps bake security into the software development life cycle sneak helps you scale and stream streamline by automatically scanning your code dependencies containers and configuration files finding and fixing vulnerabilities in real time and it is super easy to use you can sign up for free with my link below import your repositories in there sneak just finds your vulnerabilities you can fix all these issues with just a single click sneak automatically opens a fixing pull request so you can just merge them into your repository and move on and it fits seamlessly into all of your existing tools Ides the command line CI CD pipelines Cloud infrastructure and more millions of developers love sneak and you can see for yourself get started for free with my link below and develop fast and stay secure with sneak okay so back on my computer screen I'm gonna be still working in any run I'm gonna set actually back to my Windows 10 64-bit public protocol and let's actually not upload the installer file itself but let's go back to Let's actually just I don't know take maybe one of the actual things that was present and I've kind of downloaded this and got it stored and saved already here I've extracted this and I have the actual executable that we would pull from the zip archive downloaded from the application but let's not give it the giant massive file here let's actually just take one of these small files and let's you know any Run start up a Sandbox for us now with that we can actually take advantage of the sandbox and go use it to download the real malware sure it's going to do some process and maybe kind of figure out oh what's going on with that other file but you know we can still go explore because we have the web browser open let's try to go to OBS stream w-i-e-v Dot site where we could download our malware and ooh looks like it's already getting kind of reported here I do see Microsoft's coming through with it here uh maybe that came from Guardia I'm not quite sure let's go ahead and continue onward and let's go ahead and download our malicious sample here from Discord I'll hit save this is going to take a little bit of time to download so I will speed run the video here but as you'll note any run is going to be keeping track of all the sweet stuff that's happening here for us so we can get lazy in our malware analysis all right now the zip file has finished downloading I'm going to go ahead and open up the folder and I'm going to go ahead and extract all of this here I'm going to hit extract two we'll go and slap it on the desktop hit OK there and that should bring everything ready here for us you'll note any run is tracking all these processes that are open and doing great stuff uh that should be nice and easy for us because once we go ahead and fire off the Detonator here pull the trigger on this malware we should be able to go see our OBS Studio installer kickoff now it is going to end up beginning here you'll see it running and it should prompt us with hey let's go and install OBS again bear in mind this is all fake this is all a scam you can probably see some of the sweet stuff cruising through here I know my face is in the way uh but let me go ahead and move my head just a moment and that way we'll be able to see uh what is firing in a lot of these let me just drag my face up while this continues to move forward here note that the full installer does end up checking out oh what's the date of Windows install okay maybe it does a couple things checking the computer name LSA protection yada yada but there's some odd behavior when it does drop another file this is kind of normal for a potential installers but we've got other things that it does that are strange and odd and weird for one thing there's a whole lot of these executions all next to each other uh that might just be some Oddity maybe I don't double clicked maybe he was doing something strange I don't know however there are some interesting things in the malicious categories that it's tracking here and check out the command line is now C colon Str local gate uh we also have a command prompt executable cmd.exe does run with Powershell syntax with an encoded command a hundred out of 100 score that it should be malicious and base64 details that would be probably pretty interesting to go take a look at I don't know if anyone just happens to know what that might be base64 decoded off the top of their head but again command prompts cmd.exe doing some strange stuff uh seeing what more it might stage here and install utila suddenly dropped uh okay that's pretty weird that's pretty whack now install util is firing off and that's connecting outbound to a usual Port looking for installed software and actions that look like stealing of personal data all the while the victim the fool the target here is still under the impression that they are installing OBS Studio they're going to start their YouTube career they're going to be the next streamer uh streamer of the year for 2023 but let's go take a look at all these other things that have finished here uh before I allow OBS to start I do want to explore a little bit more because you can note the connections that this tries to fire off by process Internet Explorer of course is cruising through Microsoft Edge I'm more interested in what our OBS thing will try to reach out to or any of its child processes right we saw install util get spawned which is normally just hey trying to invoke and actually execute code in another method in another way looks like we are going to have that reaching out to eth0.me which I believe is just a well-known website to just display your own IP address so that the victim the target the malware might know okay what is the IP address that I'm working with here what's the victim that I've compromised alongside this you can see install util does make a call out to your IP address 35234-79173 no domain said on that however the ASN does tell all this is from the Google Cloud platform I'm going to assume that might be the Callback that might be the remote access approach and that might be where we're exfiltrating this data to forgive me hey not strictly remote access Trojan or command control server where the operator is going to keep interacting with your victim PC that's been hacked but it's where it's going to deliver all the stolen information like passwords like browser cookies etc etc but we still need to make sure we can see that coming through so we know okay here's our culprit IP address 3523479173 maybe hosted by gcp but this install util was other it was doing other weird stuff right let me go take a look at the more info portion here and let's see what this could showcase for us uh we can see down below all of the processes that this little sandbox environment was exploring we can see OBS Studio Kickstart and all the things that it might do here taking a look at the Deep details and the information that it did fire off for us we might be able to see some more interesting things and in fact this is where we get some Oddball stuff that's going to look sketchy to begin with and if you wanted to filter out some of the information things here we can do that just as easily but I'm still sketched out by this Str local gate maybe we could do some research go track that thing down see if it's maybe just some odd code name for a version or some sample of this Redline stealer um anyway let's go explore some of the other child processes that might do even other interesting things this one does some reading of the computer names Etc maybe pulling some install options.dll in a random temporary directory it would be worthwhile to go run the natural regular OBS installer uh in another sandbox just like this to see what that might do to see does it do anything different does it do anything uh separate than what our malicious copy does it might be worthwhile to note though that this happens over and over and over again uh also hey staging some regular stuff like potentially real OBS Studio files or program files Etc again to look like genuine OBS and then again it may very well be genuine OBS it does drop a lot of the files that are needed to be able to keep track of what OBS should do for recording or streaming like virtual camera modules etc etc I don't want to drive in Boris with that too much however I do think it's worthwhile to explore some of the other things that kick off here uh there was some strange stuff that I do want us to kind of hone in on uh especially a lot of these weird command prompt and Powershell commands that are being ran additionally another executable that gets dropped put into roaming and actually modified it within the registry to make that the login or log off shell it is going to put randomly named folder randomly named executable probably staging again the data exfiltration portion of the red line Steeler installed here we can go pull that down and explore it if folks are interested uh again you I'll share this sample and I'll share this link and everything where again the registry is being modified to actually kick that thing off uh through Explorer here but let's look at the interesting thing hey let's go grab this encoded Powershell string I will go to cyber Chef does that work here yeah super simple super easy just because I'm kicking around on Windows for the moment let me do a from base64 uh oh and that's gonna be doing like a weird UTF one can I change that to utf-16 [Music] uh data format I don't like that it has the weird hyphens in the middle but you you get it you can see that this says set MP preference add an exclusion path C colon backslash which I don't know if I have to tell you is the command to have Windows Defender or the built-in natural antivirus set an exclusion for files that it will not scan for files that it will not actually end up taking a look and trying to see if there's malware when you add an exclusion to the C colon backslash for your hard drive for the entire file system it it says okay Defender will no longer scan anything on the entire file system basically Nerfs or antivirus that probably won't end up executing or succeeding anyway if the user doesn't have admin privileges um in which case I believe our uh any run sandbox Dynamic analysis user does however cool so we can see that functionality but note hey all those cmd.exe command lines that we all end up triggering with the encoded base64 is gonna be trying to Nerf uh that specific Windows Defender scan it's adding the exclusion path so it does nothing else also odd some certificates here other things that we might be able to go explore but the real Smoking Gun when we get into some of the craziness even if we're taking keeping track of others install util excuse me install util.exe is where we're staging to run the real Detonator for our Redline software that is where we might be able to see a lot of the information that we're grabbing but the actions that look like stealing your personal data is where we end up scrolling through and seeing how it might access all of the potential files trying to read data present in local caches for different kinds of software these are things that I don't know all of their Origins from however Brave software certainly sounds like the brave web browser uh I believe we can track down even others Vivaldi Yandex torch Komodo orbitum I think a couple of these might very well be um like Bitcoin cryptocurrency wallet holders uh I'm not in that world just yet so I don't know here's chromium of course another web browser here's Thunderbird oh here's other Brave settings for local extensions and again we saw all this again in the previous other video that would be checking out uh all of this within another sandbox like triage or t-i-r-a dot GE where you can track this down online and well hey that was us just kind of scrolling through the basic information for behavior and different events uh note that we can explore other things that each of these might end up doing here were all of our other registry changes that you know are a little bit weird and whether or not we're going to be allowing tracing or any actual auditing or logging of any of this behavior um strange stuff and other activities that I don't want to pretend that I know all the answers to however here's the HTTP request that did did come back with each zero dot me to find its IP address and additionally you also have the other Communications like this one sent to the Google Cloud platform or the culprit three five two three four seven nine one seven three again reputation for Google Cloud platform kind of just an ephemeral temporary potential HQ for the hackers could very well be malicious but doesn't always mean that right let's take a look at what the network stream might showcase here if it gives me any details yeah let's go ahead and see ooh maybe the raw packets that were sent to this thing here we're trying to denote oh here's some syntax with Json or the JavaScript object notation to say look we're going to be sending encrypted data here and back and forth does that work certainly seems like it's trying to it does get data received back so it must have been communicating with that in that Port 15647 as that again kind of data back and forth to receive is still working here what that means is if this were really ran on the target if this were really actually detonated in a live environment in an actual victim system like my own or like any other YouTuber or content creator anyone trying to use this OBS software being fooled and deceived by this malware is going to have a lot of their passwords credentials and information stolen hey real quick uh let me please note time ran out on our Dynamic sandbox uh before I was able to continue actually letting OBS run and invoke and Kickstart with that said I had ran some previous examples where I actually had a regular OBS install to kind of compare and contrast hey what's normal what's not in this install process obviously hey you are going to have some of those specific dlls or libraries set up and configured with the 64-bit stuff that it might end up checking for virtual cameras yada yada yada obviously there's no setting Defender exclusions but when I had another sample where I was previously playing with this underneath Explorer we can ignore those until getting to actually installing the OBS software after it did finish installing I said hey you know what sure let's go ahead and start up OBS software let's go ahead and run what you said that you really installed and you might be able to see that down here OBS Studio 2.81.2.exe separate from full installer.exe child process of it because it did spawn through that installer but note even that is going to end up kickstarting this command prompt that tries to once again disable or actually set exclusions for Windows Defender and it kicks off install util again it it I have to think maybe I'm wrong here maybe I'm going out in a ledge and it's not the right ledge is that a backdoor OBS since like I I might be wrong there because OBS 64.exe is still separate um I I can't say that with any confidence I think maybe this Stager of Str local gate is is really the issue here um however running OBS 64.exe the pure original OBS well any run might say it's malicious and might be still getting confused and caught up for just natural stuff that OBS has to do genuine legitimate OBS obviously our Str local gate OBS Studio that tries us at exclusions and run install util that's Bad News Bears there be dragons that's malware hey last couple things before I wind this down here because I know I've been rambling for a long time and I'm sorry for that uh but I did want to go explore what that you know 35.12 whatever IP address was the actual exfiltration endpoint to pull back and restore and retrieve all of the stolen credentials or information and I thought I'd go take a look at that on Showdown now bear in mind we have some context clues that this was probably hosted within Google Cloud platform gcp and with that it's a cloud instance which means it's probably a very temporary and ephemeral IP address which could very well change quite often uh kind of an oddball thing I'm curious what this actual thing might be hosting because The Showdown response doesn't include that Port that we saw the one five six four seven or whatever Port they were actually performing this communication on to Share info back in and forth but noting here oh Shodan said it was last seen quote unquote this date 12 31 the very end of the year here for 2022 but scrolling down to some of the other services it looked like there was a response back when it was communicating with this on December 26th so I can't exactly trust right now what shoden might be telling me because it's so variable because it's a temporary Cloud instance we just don't quite know if that oh Current Port listing is exactly accurate those things kind of hop in and out because it's just a cloud instance however the phishing domain itself the actual staged malware website obsstremsweve.site or whatever that is an interesting domain that we might be able to go explore and check out the history of if I were to go and do a simple who is lookup I can track down that this was actually created this domain was registered back on December 29th and we were seeing stories and conversations pop about this tradecraft these techniques in the these malware campaigns way back on December 28th mudahar did his own video and Reporting on the 30th and now I want to drop this video on the 31st uh so pretty recent if we're going to be like in the December 29th as really when this went live and with that I am finally done talking I'm very sorry hey you know a little bit verbose but I hope it got into some of the cool fun stuff and we're able to explore this just a little bit further than hey what some of the great folks have been chatting about uh and we can at least see this thing in a live Dynamic interactive sandbox to do some of that Dynamic analysis even if it's taken the easy High Road here where hey we're taking it taking advantage of some of the sweet stuff that tracks that all and does it for us I hope that's still worthwhile and useful for folks uh and honestly look we got to do our due diligence here we have to educate folks we have to raise awareness on this I've gone ahead and reported this domain the OBS streams weave Dot site and hopefully we'll be able to get that thing in the file itself a little bit more known within virus total and other antivirus engines and we'll keep chatting about this thing in this video in the scene here with other content creators and uh hopefully you can spread the word just as well uh if you'd like to hey you know some sweet ways that might help out with that are pumping us up in the YouTube algorithm if you don't mind Hey like comment subscribe if you like this video and you want to see more if you're willing to support there are links down below to hey support uh Financial one way or the other if you like patreon PayPal and please please please please go give some love to the sponsor of today's video they are the reason that we can keep doing great stuff like this and maybe chatting more and more about it but uh with that man I'm done rambling I promise I'll see you all later in another video and thank you thank you thank you huge Kudos and props too the folks already reporting on this and again mudahar for keeping us uh you know here on the front lines thanks all
Info
Channel: John Hammond
Views: 285,278
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: jXrSSq1D0e8
Channel Id: undefined
Length: 31min 19sec (1879 seconds)
Published: Sat Dec 31 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.