MaleficAms & Quasar

Fighting MaleficAms.C and Quasar.GG!MTB // 30th January 2025

This torrent: rarbgo dot to/torrent/fontlab-8-0-0-8222-neverb-5320179.html , contains a crack.zip file. The crack is a virus. It didn't flash anything up on my screen for 2 days but when it did, I spent several hours chasing it around my system. DO NOT USE IT. It seems to be one of the new virus types that collects your browser's logged-in session tokens and sends them to a hacker.

The crack file doesn't contain much, but it activates a remote script, which then downloads other files and hides them around your system.

It also created two tasks in Task Scheduler, which ran every time the computer woke up from sleep.

IMPORTANT FIRST STEPS

• Make sure you activate tasks history: Task scheduler → Action menu → Enable All Tasks History.

• Also get ProcExp from Microsoft's SysInternals, it's more powerful than Task Manager (and also way more lightweight, who even made Task Manager heavy?). Run it as administrator.

• Disable your internet connection. If you don't trust that your wifi is fully off, create a firewall block rule that blocks everything outbound.

• Check Windows Security → Virus & threat protection settings → Exclusions. Make sure that NO folders or files are excluded. (Check the same thing in your antivirus app if you're using something else.)

All the files that I found

Here I'll list all the places I found files. The file names may be different for you.

Task Scheduler → "WindowsUpdate_Service"

WindowsUpdate_Service

There is a task in Task Scheduler. It was called WindowsUpdate_Service, and it was in the main tasks list (not in a Windows or Microsoft list).

Needless to say, it is not the real Windows update service.

Task Scheduler → 8026C5C2-......

Later, there was another task in there too, with a crazy numeric name.

8026C5C2-B019-46B0-B0F4-0583866B9AC8

The Task Scheduler app is crap, it'll show you a list of tasks in the Task Status section but clicking the tasks doesn't take you to the task entry.

Mine was called 8026C5C2-B019-46B0-B0F4-0583866B9AC8. It might have a different name in your situation.

Use Everything (or similar search indexer), type the task name in, it will display its file.

Delete it via Everything.

It was hiding in Task Scheduler under Microsoft/Windows/Management/Provisioning.

It interacted with a registry key (details below).

Startup → dwm.bat

dwm.bat

There is a bat script disguised as DWM in your startup apps.

C:\Users\Public\ → 5.vbs

5.vbs

There is a vbs script in c/users/public.

%LOCALAPPDATA%\Temp\ → c.bat

c.bat

There is a bat script in C:\Users\username\AppData\Local\Temp.

You can reach the Local AppData directory by putting its "shortcut" in the file browser address bar:

%LOCALAPPDATA%

And directly reach the Temp directory with:

%LOCALAPPDATA%\Temp 

%LOCALAPPDATA%\Temp\ → xjLsh7ECs8mU.exe

xjLsh7ECs8mU.exe

It also put another file into appdata/local/temp after I dealt with the virus a couple of times, before I found the task scheduler entries.

This file name looks randomly generated; yours will likely have a different name.

%LOCALAPPDATA%\Temp

There may have been some more files but I forgot where they were.

There's also a registry key masquerading as a Realtek device entry. HKey Local Machine / Software / RealtekgaNtkX0 / NtkX0rW.

Registry → RealtekgaNtkX0 / NtkX0rW

There's also a registry key masquerading as a Realtek device entry.

HKey Local Machine / Software / RealtekgaNtkX0 / NtkX0rW.

I recommend using Registry Finder to edit your registry, because it has undo built into the app. As far as I can tell, you can undo something that you changed previously, even days or weeks ago.

Paste this address into the address bar in your registry editor app. In your case, it might have a different name.

HKEY_LOCAL_MACHINE\SOFTWARE\RealtekgaNtkX0

I found this name via the task in the Task Scheduler — read the actions tab, it'll show you what commands are to be executed when the task is triggered. This is where I found the name of the registry key. Yours may be masquerading as a different device or brandname.

Defence

You, fighting it in realtime

The rogue code kept launching new powershell instances, and sometimes CMD instances.

Watch for them in ProcExp.

You can sort the processes by PID so the newest processes should appear at the top of the list.

Windows Security

The virus also added powershell.exe and my entire C:\ drive to the Windows Security antivirus exclusions list, so I was getting notifications from Windows Security that no threats had been found. Once I removed all exclusions from the list, it detected one virus, then later, the other one.

Windows Security finally detected two viruses:

1. Win32/MaleficAms.C — This program is dangerous and executes commands from an attacker.

2. MSIL/Quasar.GG!MTB — This program provides remote access to the computer it is installed on.

This was after I had deleted the other files by myself, so your antivirus software may detect more than mine did. I also uploaded the virus files to VirusTotal, and it shows that some antivirus software doesn't detect these files at all! Check out the links to pages on VirusTotal below.

Files checked on VirusTotal:

1. LbuDYVey.ps1 — This seems to be the originating file from which the chain of events started — https://www.virustotal.com/gui/file/5afdc33f02df4604b5610fe0c31131a889df29687353b1c0f300c1cf791192cb
2. 5.vbs (base64 powershell directives) — https://www.virustotal.com/gui/file/a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
3. c.bat AND dwm.bat — https://www.virustotal.com/gui/file/d2ca5cb28153f404d84cad9dd6b28725015527625a262d3b6471e0458f5ecb85
4. 8026C5C2-B019-46B0-B0F4-0583866B9AC8 (in Task Scheduler) — https://www.virustotal.com/gui/file/257a73e0adedae700e848f36cbcf4198d478fb8cb4aab2855ebef496c7fca60d
5. RealtekgaNtkX0 / NtkX0rW — The registry key that was added — https://www.virustotal.com/gui/file/bf0814ba984aac3d577d45da9b06da36443c523241ec083120874cdacf65bf6c
6. crack.zip file — The crack.zip that was contained as the cracking method — https://www.virustotal.com/gui/file/d2b9cbc27e4328493cc918110de5d2c3339f79075466311b3b45a72faf86fe76
7. Patch.exe — The activator executable inside the crack.zip file — https://www.virustotal.com/gui/file/7dbc709cf291f300f458170fa4552e8a85187afc56b72ad073ffc4ea0d026c61
8. evbda.sys — A benign system file, distributed by Microsoft. It was included in the crack.zip file. https://www.virustotal.com/gui/file/48d9f61e943a7855562950ff26b866bd51a27d980757b065504fcd3f1a1d6f07

The magnet URI for the torrent that contains this crack. Do NOT USE IT. I have included it only for you to check if you are downloading a bad torrent.

magnet:?xt=urn:btih:28ED2F2AC95B9326D10647D012B5A07F1D2BBEF2&dn=FontLab+8.0.0.8222+%5BNeverb%5D&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337%2Fannounce&tr=udp%3A%2F%2Ftracker.pirateparty.gr%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.tiny-vps.com%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.torrent.eu.org%3A451%2Fannounce&tr=udp%3A%2F%2Fexplodie.org%3A6969%2Fannounce&tr=udp%3A%2F%2Fipv4.tracker.harry.lu%3A80%2Fannounce&tr=udp%3A%2F%2Fopen.stealth.si%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.cyberia.is%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.internetwarriors.net%3A1337%2Fannounce&tr=udp%3A%2F%2Ftracker.open-internet.nl%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.zer0day.to%3A1337%2Fannounce&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337%2Fannounce&tr=http%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2Fopentracker.i2p.rocks%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.internetwarriors.net%3A1337%2Fannounce&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969%2Fannounce&tr=udp%3A%2F%2Fcoppersurfer.tk%3A6969%2Fannounce&tr=udp%3A%2F%2Ftracker.zer0day.to%3A1337%2Fannounce