Threat Research

Cyble – Modified FiveM Spoofer Targeting Gamers   

Securonix

CRIL identified a malicious site cloud-spoofer.xyz that redirects users to a Discord channel to buy a FiveM unban spoofer. The tool is modified to download AsyncRAT and a stealer from remote servers, delivering malware to gamers. #CloudSpoofer #FiveM #Discord #AsyncRAT #GameOverlayUI #Cyble #CRIL

Keypoints

  • CRIL identifies a malicious site cloud-spoofer.xyz that redirects users to a Discord channel to sell a FiveM unban spoofer.
  • The threat actor (TA) has been selling Cloud Spoofer since September 2022 for 20–60 Euros, with pricing details shown in the post.
  • The TA promotes via a Discord server and giveaways, encouraging gamers to create YouTube/TikTok videos linking the channel to maximize reach and infections.
  • Instant unban offers are tied to subscribing to the TA’s YouTube channel, with a free spoofer download link provided in the video description.
  • The modified spoofer downloads additional malware (AsyncRAT and a stealer) from the remote server and stores components on the victim’s machine.
  • The campaign disguises malware as a FiveM spoofer and provides IOCs including the malicious URL and various file hashes.

MITRE Techniques

  • [T1566] Phishing – Redirects users to a Discord channel to announce selling the spoofer for FiveM unban. “malicious site cloud-spoofer.xyz, which redirects the user to a discord channel where the announcement is made by the Threat Actor (TA) for selling the spoofer to get unban from FiveM.”
  • [T1204] User Execution – The tool prompts user input for tasks and shows a UI during execution. “Upon execution, the Cloud Free.exe file shows the following UI, allowing the user to enter the choice for performing several tasks such as spoofer, cleaner, global ban, etc.”
  • [T1105] Ingress Tool Transfer – The spoofer downloads additional malware from a remote server. “downloads AsyncRAT malware from the URL hxxps://cloud-spoofer.xyz/AURLesk[.]exe.”
  • [T1041] Exfiltration Over C2 Channel – Network beacons used for data exfiltration can be blocked by defenders. “Monitor the beacon on the network level to block data exfiltration by malware or TAs.”

Indicators of Compromise

  • [SHA256] Hashes – f161af9b9caec7e99e85f924a4161514929b0b6ab176f66555cdb3274d5ca633, 205ed7d1eef37774c1b4499eec76b796f41edd256ac2e441afe3b0e144ef3f46 (Hash values for the analyzed RAR payload)
  • [SHA1] Hashes – f3991147e742ba18a277f06900d3a9f73a471479, ea52d2b743934c1d22d1994f98732ddc86001d3d (Hash values for the analyzed RAR payload)
  • [MD5] Hashes – 2994e21b35be95d056130e28f2aaca4f, 7f4ec1579a0d3d05225226ad2321dcd3 (Hash values for the analyzed RAR payload)
  • [SHA256] Modified Spoofer Hash – 205ed7d1eef37774c1b4499eec76b796f41edd256ac2e441afe3b0e144ef3f46
  • [SHA1] Modified Spoofer Hash – ea52d2b743934c1d22d1994f98732ddc86001d3d
  • [MD5] Modified Spoofer Hash – 7f4ec1579a0d3d05225226ad2321dcd3
  • [SHA256] AsyncRAT Hash – 079b1480ebabfb06545ce9723616f8fd02640cca2ff2e300255509e28ae9db8b
  • [SHA1] AsyncRAT Hash – a51a3c3aec182eb8cfd052eac0f56b31eaada03c
  • [MD5] AsyncRAT Hash – 67a7ebbc7c94ed3fbaad5cdac96a7997
  • [SHA256] Stealer Hash – b041a434b7700cdaa563c018c7d84e53a2f4ca98260518a15031dd44f65decd1
  • [SHA1] Stealer Hash – 54ef9f572a21698112107d1980c0a59fe68c4a16
  • [MD5] Stealer Hash – f107bc215564928d5f76070f1686932b
  • [URL] Malicious site – hxxps://cloud-spoofer[.]xyz

Read more: https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint