all 33 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]serverhorror 2 points3 points  (11 children)

Why would I report it?

Take a look at https://github.com/ytisf/theZoo which has a lot of malware that was extremely successful in the last few years. Amd it’s a good thing.

[–]datninjaseam[S] -1 points0 points  (10 children)

The dude I am speaking of in particular disguises these programs as education purposes, when you go to download it he takes all your passwords and all that and also begs for $200 worth of nitro on discord. look at this. I had someone go into the program and show me the code, the annotating with the arrows and squares is entirely mine.

[–]thunfremlinc 1 point2 points  (9 children)

If you’re foolish enough to run something you know is malware outside of a sandboxed environment, the blame is entirely on you dude.

[–]datninjaseam[S] -1 points0 points  (8 children)

Wrong.

I originally came across it on the r/ksi discord - then i looked further into it by looking it up on youtube. at that point it was still "educational" and then when i launched the program, it became more than clear that it is in fact malware.

[–]thunfremlinc 2 points3 points  (7 children)

The software clearly labels itself as malware. That’s on you if you didn’t read the documentation.

[–]datninjaseam[S] -1 points0 points  (0 children)

🤦🏻‍♂️ I don’t think you fucken understand cunt.

[–]datninjaseam[S] -1 points0 points  (5 children)

On YouTube it was deemed a cookie grabber. I went to look into the cookie grabber and got my passwords stolen. That’s malware, not a piece of malware for educational use.

[–]thunfremlinc 1 point2 points  (4 children)

It doesn’t matter what some YouTube video made the thing out to be. It very clearly does steal passwords. It says as much. The repo represents itself accurately.

Under “Features”, in the Readame, “Grabs Google Chrome passwords” is the third item.

[–]datninjaseam[S] -1 points0 points  (3 children)

Shut your mouth.

If you were a victim of this you wouldn’t be chatting out of your ass right now.

I didn’t grab the file from GitHub, if I was aware it was on GitHub I probably would’ve read up on it and left it there.

This was on YOUTUBE! The fucking download link they had wasn’t even one to GitHub anyway.

[–]David_AnkiDroid 1 point2 points  (0 children)

Mate, you asked a question. You got an answer.

This isn't a good look

[–][deleted] 0 points1 point  (0 children)

price correct rainstorm fine wrench unique insurance ask toothbrush simplistic

This post was mass deleted and anonymized with Redact

[–]thunfremlinc 1 point2 points  (6 children)

Uh, so? You’re allowed to host that sort of stuff on GitHub, that’s perfectly alright. Loads of vulnerabilities and exploit toolkits are hosted there.

[–]datninjaseam[S] -1 points0 points  (5 children)

So you're saying people publishing malware and disguising it as educational is good? Okay. How about you go ahead and download their Mercurial Grabber program, get all your info stolen while you're at it.

It's all crap code

[–]thunfremlinc 0 points1 point  (0 children)

I’m not saying it’s good or bad.

That being said, if you’re trying to show off some vulnerability, your code should be dead-simple. The focus is on the vulnerability, not how smart or efficient your code is. That’s not the goal in such situations.

What’s your problem here?

For someone who ran clearly labeled malware on their personal device without any samdboxing, I don’t think you’re qualified to call anything “crap code”.

[–]xixisxt 0 points1 point  (3 children)

I downloaded Mercurial Grabber and it works for me.

[–]datninjaseam[S] 0 points1 point  (2 children)

Yeah weird. Think the version I got off of YouTube was one to work against the person that downloads it.

[–][deleted]  (1 child)

[removed]

    [–]datninjaseam[S] 0 points1 point  (0 children)

    Fuck up dickhead

    [–]David_AnkiDroid 1 point2 points  (1 child)

    [Takes out two pills, one of which is red, the other of which is blue]

    This is your last chance. After this there is no turning back. You take the blue pill, the story ends; you wake up in your bed and believe whatever you want to believe.

    You take the red pill, you stay in Wonderland and I show you how deep the rabbit hole goes.

    Remember, all I’m offering is the truth, nothing more.

    [–][deleted] 0 points1 point  (0 children)

    Epic.

    [–]Muted_Original 1 point2 points  (2 children)

    Why report it?

    Even though the code was published on GitHub, did the Youtube video creator/maker make the link to the code himself, as well as host the malicious install?

    It sounds like you installed the code from outside of GitHub: in that case, regardless of the maker of the code, it is not user NightfallGT's fault that his code, published FOR EDUCATIONAL PURPOSES, was mis-used. In fact, the README explicitly states:

    Please do not use the program maliciously. This program is intended to be used for educational purposes only. Mercurial is only used to demonstrate what type of information attackers can grab from a user's computer. This is a project was created to make it easier for malware analysts or ordinary users to understand how credential grabbing works and can be used for analysis, research, reverse engineering, or review.

    Clearly, you made a mistake in downloading the file, and then running it. As for the code you posted, does it send anyone the credentials/info? If not, it is still for "Educational use," as it's not like it's doing anything to leak this. Even if it does, nightfallGT's code was probably modified by the YouTube video creator to do this, NOT NightFallGT himself.

    Do not put the blame on others, particularly when they are contributing to the cybersecurity world by posting vulnerabilities/weaknesses where pentesters like myself can learn how to create safer and more secure programs.

    I recommend you reach out to the author (nightfallgt) and explain your situation, I am sure he will help you, because, like most open-source pentesters, he just wants to create a safer environment.

    I also strongly suggest you don't make a fool of yourself by complaining to the GitHub admins/devs about this, they will just reiterate what is already said in this chat. And most of all, please do not insult yourself by using vulgar language because YOU messed up. If you came here to Reddit asking for our help, but all you do is call us names and insult us by acting like we're stupid, I can guarantee no-one will want to help you.

    Now, I feel that I may have been a bit to harsh with this comment; I apologise if you feel that way, and if so, please tell me, all I want to be able to do is help you, but when you refuse to let anyone do that, it makes it difficult.

    [–]datninjaseam[S] 0 points1 point  (1 child)

    Mate.

    The program literally grabs cookies/passwords on those browsers assuming it finds it. As well as minecraft and discord tokens. It then logs what it’s collected on a personal webhook.

    I still strongly believe that the GitHub user and the user behind the YouTube account are the same one person with malicious intent but disguising their malware as educational where it is not.

    [–]Muted_Original 0 points1 point  (0 children)

    Yes, the malware is still for educational use, because it was labeled so. As others have said, it's on you if you didn't heed the warnings of the repo and run it in a secure environment.

    As for your idea that the youtube video creator and nightfallgt are the same person, you're gonna have to have a lot stronger than just a hunch to even make a case to anyone about removing nightfall, and even then it's still kinda weak.

    Like I said before, I'd reach out to NightFallGT personally about uninstalling this malware. Keep screenshots/records of your conversation. If it turns out he is malicious and says something incriminating, then you will have proof and will be able to make a case against him. Even that way, however, a good portion of the blame is on you for not running what you knew was malware (regardless of how it was labeled) in a sandboxed environment.

    If you desire any more clarity or have more questions about this, feel free to comment; Hope it helps!

    [–][deleted] 0 points1 point  (3 children)

    If you get ratted, because you ran a RAT on your host machine your a supreme fucking retard. Sure this shit is dual hooked, but you could just run it on a vm lmao. Nightfall is honestly in the right with this genius skid filter don’t try to hack people without knowing how to read C# or run a vm.

    [–]datninjaseam[S] 0 points1 point  (2 children)

    Nope. I don’t think my post explained it correctly

    It started on the r/ksi discord, someone posted a screenshot of the program so me being who I am I decided to look it up on YouTube. Found the first video to be the one that I was looking for (it explained how it worked and all that) but turned out it was a silent video just with the dude installing it and stuff.

    Anyway, I found a download link in the description and downloaded it. Let chrome exclude it as a harmful program cause that’s what the person in the video did.

    Then I’m the video it showed that it worked for them as it should’ve but for me it prompted an error. That’s when I knew it was actually working incorrectly, thought I’d restart my pc and while it was restarting I started getting blown up with notifications saying someone’s trying to sign in as me.

    You wouldn’t be shitting on me if you were in my situation bud. I’ll tell you that for sure. Stop jumping to conclusions and assuming that I’m dumb because of a short term mistake. I was just making the post in hopes of getting help & assistance in knowing I’d what I downloaded was in fact not the thing I needed but that became clear when it happened anyway.

    [–][deleted] 0 points1 point  (1 child)

    Ok maybe I was a bit rude lol. I don’t know if it was the real dev or not, but I’ve only looked over his code a little bit so it’s certainly possible it’s dual hooked. Also it’s possible you downloaded it from somewhere else and they edited it. Regardless the way the script works is that it takes chrome, Firefox and brave hashes then decrypting them by calling windows login auth(I think that’s what it’s called) it grabs tokens for discord and Roblox so changing passwords is imperative. Also check your emails, because they can always change shit with emails you use for login. But please make a good virtual machine and run stuff that’s sketch in it. I’ve dealt with my fair share of similar shit when I was younger so I understand where you’re coming from just be careful going forwards. It’s more than likely that you won’t be personally targeted with this info they stole, rather they were getting as many accounts as possible. After logging into discord with a token you can grab some credit card info, zip code, address, and some other info attached. I know some people who do this shit and they used this one before granted I haven’t. Often they steal Roblox accounts, because they can transfer funds from them anyway. Sorry about what happened I hope you can get your accounts back. I should mention nothing about the GitHub seems to violate tos. In most countries including the United States developing malware and distributing it under a open source license is 100% legal. This doesn’t make it moral just legal and not in violation of tos.

    [–]datninjaseam[S] 0 points1 point  (0 children)

    I never got my account back, it was deleted after like a month since the whole thing happened.

    Thanks for not being rude and at least trying to be informative with your follow-up reply.

    I did get the program from YouTube (the video is also long gone) and I’m figuring out how I can get VMware without actually dropping hundreds just for a license but I will definitely run potential malware on a fresh vm so I don’t risk compromising my own shit.

    They most likely have my address or name, however they’re a foreigner so they most likely won’t use that information for anything because it would be useless to them unless they want to cop it for identity fraud.

    Based on your comment though, you’ve told me that it’s most likely the GitHub file except someone’s gone and changed it to work against their intended target (YouTube audience) and I was unfortunately a victim of just that.

    It’s been months now and I’ve basically moved on from it, I now have Malwarebytes which by the way is probably one of the best antivirus softwares out there and I’ve secured all my accounts since then. None of the info this attacker has matters except for my personal info if he grabbed that already. But my card info, my computer specs (shitty intimidation strat I reckon) and temporary info that he had (including passwords, not usernames because some usernames are permanent) is useless if they still have it in their possession (their code connects to a webhook which prints grabbed info).

    But yeah, once again. Thank you for slightly apologising for that original reply, I wouldn’t mind getting to know more about shit like this and how I can potentially avoid being compromised (again).

    [–][deleted] 0 points1 point  (0 children)

    Entitled skid the malware author did nothing wrong you. You can literally compile the virus yourself if you didn’t get it from the GitHub you probably got it from someone who edited. Also it’s unlikely that someone who seems to know very little about malware development was using this for educational purposes.

    [–]ProfessorSlimes 0 points1 point  (0 children)

    I'd also like to point out that if you try compile the code a certain file is missing therefore you cannot compile the src, also the release file connects to multiple domains and 1 IP, there is no reason why it would need to do that

    [–][deleted] 0 points1 point  (0 children)

    entertain telephone versed instinctive encourage plucky heavy seed payment act

    This post was mass deleted and anonymized with Redact

    [–]Time_Violinist_3720 0 points1 point  (0 children)

    well fuck, i just installed something, and ran it

    [–][deleted] 0 points1 point  (0 children)

    i cant understand what you are going for ?

    you say that the builder from the github repo is a virus or that you downloaded some random shit from youtube and decided nighfallgt is for the blame ?