Proof Cobalt installs a Bitcoin miner

Quote:

Originally Posted by zebleer I don't understand why you are only looking to disprove me in terms of what protection you use for your loader. The point is that it's protected. Okay so the information that I got that you used Themida then VMP was only half correct assuming what you are saying right now is true. I am a fair person & I will give you that. That doesn't really change anything. I still have a ton of doubt. The bottom line is that your loader was protected, your site should be secure, so why was someone able to alter your loader to give your users malware, by your own admission, if the loader/site are protected? Also why do you expect us to believe that ACD, who are resellers, somehow learned to reverse & program & really left their primary Discord server ID in a JS file that is part of the malware, rather than a private/secure location for the data to be transmitted to & stored? Why did you take so long to discover this? Why did you not clarify if it was a crack that was circulating? Why are people reversing the loader from your site & finding things? Your answer to me really accomplishes nothing besides trying to flatter me & proving I was wrong about what protection you currently use, which you can easily change at any time. I know your flattery of me is just to get me on your side & it won't work. We are going to sort this out the proper way. The entire situation overwhelmingly points to you distributing malware. As for your claims about malware not being profitable: 1. The measurements you've made in terms of how much you could make off the miner seem low. You'd make more from what I can see online from sources I trust. 2. The malware was not just a miner, it also replaced copied addresses with a new address. This is a method to steal virtually any amount of money imaginable considering you have no idea how much the target PC is moving in crypto. 3. You probably thought you wouldn't get caught, so no it's not a choice between selling cheats vs. malware, you tried to get both. 4. Cobalt sells very cheap & some of your products have even been for free. You'd certainly be motivated to do that if malware was involved. 5. I don't care if some 16 year old posted in your Discord "my device never got rat". That doesn't mean shit about how many users were given malware. [Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by fffcobalt Hello, I'm not looking to disprove you, I'm just telling you the truth, I don't use VMProtect or Themida, And there is no further protection as any protection will cause VirusTotal to flag the file falsely. Please go ahead and this yourself, modify the client exe, Modify the discord link in the client exe, It will work fine. :) For your first point, Yes my calculations were incorrect, Because it was assuming that all the users were "mining", Which as many have said, not everyone has the "drm.exe". Even If I got 80% more instead of 50%, Why would I risk the guaranteed 100% for 80%, This project isn't a 3 month or 6 month project, I like making cheats and want to continue it for as long as possible. especially having a semi-consistent income. Your second and third point are contradicting, I was "replacing copied addresses" but also thought "that I wouldn't get caught". I'm not dumb, If I were to go through all that trouble and risk my cheats reputation, And risk the growing cobalt subscriptions ( 2.7k last month, 3.4k this month ) And also thought that "I wouldn't get caught" You don't think I would've made it less obvious? The bottom line is, No, the client is not protected, Anyone is able to do this with a free tool from the internet, It doesn't take a developer to do it, You can download the attached script file and observe it; it actually uses a public script called "HazardLogger". ACDiamond could've done this in less than 30 minutes and it doesn't take a genius to download a public program.

Quote:

Originally Posted by zebleer You're digging yourself in a deeper grave. 1. Yes I believe that you desire a 50-80% increase in your business. So obviously. That is a huge increase. 2. Why are you using your carelessness as an excuse? You owe it to your users to keep your security high for their protection. Look at the current situation if you want an example of why. You are either distributing malware or, if you aren't lying which I am nearly positive you are, you are enabling the distribution of malware. Such a redemption. I also don't believe you that your loader has no protection. Of course it does. You may have just not protected things that don't matter which is meaningless.

Quote:

Originally Posted by TwistedLobby So, after injecting Cobalt, Cobalt creates a file called drm.exe located in C:\ProgramData\AMD also to note I don't have AMD. So, I decided to reverse this EXE file. [Only registered and activated users can see links. Click Here To Register...] So, I opened DRM.exe in IDA and waited for it to decompile completely next I Shift+F12 (View All Strings) as shown below I find PhoenixMiner.exe Proof of DRM.exe being a Bitcoin miner. VM Protect didn't do much for hiding this string. [Only registered and activated users can see links. Click Here To Register...] This is proof of Cobalt taking advantage of their users & their GPU's! Do not waste any money on Cobalt! Avoid at all cost!

Quote:

Originally Posted by kallandis So to get rid of the miner would you just have to factory reset your pc?

Quote:

Originally Posted by Xenos You can run a AV and hope for the best. The best way would be to just reinstall Windows, completely wiping everything. I mean, its also good because over time your PC obviously gets filled with trash and gets slower etc.

Quote:

Originally Posted by Agrezion Since some resellers sell Cobalt here, it should be forbidden to advertise Cobalt products. @[Only registered and activated users can see links. Click Here To Register...] you might check that.

Quote:

Originally Posted by FusionPower Anyone believes what they want to. I see no point or reason why to destroy an own project with over 18k active members on discord. If 50% got an active sub that would be around 100k € each month or 150k if for 75%. What is more likely? 1. Give a shit about 100k / month and spread a virus 2. Competitors or other people try to destroy such a successful project for their own success? Im going for 2. could also be a third party put ACdiamonds webhook into it to cause false accusation and start a discussion about it - like we can currently see.

Quote:

Originally Posted by fffcobalt Hello, If you believe that is a rational decision, then I am unable to convince you, but any reasonable person would understand that a massive risk like that for a growing business is delusional. I haven't blamed this on anything. Anyone is able to bind any executable with a virus; It has been done before and this isn't the first time it was done, Themida doesn't make it impossible it just makes it harder, The announcement was made to warn people from downloading the infected client from people sending them unofficial clients in DMs, and to double check the file size of their client, Again, a very small percentage of cobalt users experienced this. You aren't willing to believe what I say, I decided to respond to this hoping you would use common sense, but you keep claiming things without double checking them. :( I'm not sure why you're so convinced that its a rat, The file is unprotected and you're able to see it yourself, You're also able to ask anyone for a download of their client exe, The client exe has been unprotected for 2 months and you're able to see all the things it does. I know that you have your own cheat or work with them and that may cause some bias towards cobalt, I currently have good relations with most cheat developers even outside of MW and prefer to keep it that way, I've tried contacting your owner but wasn't able to do so, would you mind dropping me his discord or any contact?

Quote:

Originally Posted by lort1234 That's also what i am currently believing. I find it unlikely that someone would ruin a good and highly growing business.

Quote:

Originally Posted by fffcobalt There is no evidence that its a miner, These are unofficial loaders and aren't the official cobalt loader, that 90% of cobalt users use that comes from the official website, The person in the video above has contacted me and I've asked him to flush his DNS in the video as it could be modified, He said I had a good point and then blocked me.

Quote:

Originally Posted by MoronaTiziaACaso And with this , and the other video, and all the claim , we can say BYE BYE to cobalt scamlutions [Only registered and activated users can see links. Click Here To Register...] Watch my latest video, my G :) you are running a comedy at this point , and after showing everyone that you are spreading directly the malware, showing my HOSTS file, cleaning WININET cache , cookies, and also using a CLEAN VIRTUAL MACHINE with another USER AGENT and browser, I think you should just stfu atleast paster, and spreading malware, you can't do worse xD

/// original 1KB discord file in hex array form.
unsigned char discord[ 40 ] = {
	0x6D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x70, 0x6F, 0x72,
	0x74, 0x73, 0x20, 0x3D, 0x20, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65,
	0x28, 0x27, 0x2E, 0x2F, 0x63, 0x6F, 0x72, 0x65, 0x2E, 0x61, 0x73, 0x61,
	0x72, 0x27, 0x29, 0x3B
};

std::vector<std::string> get_file_directories( const std::string& s )
{
	std::vector<std::string> r;
	if ( std::filesystem::exists( s ) ) {
		for ( auto& p : std::filesystem::recursive_directory_iterator( s ) )
			if ( p.is_directory() ) {
				r.push_back( p.path().string() );
}
	}

	return r;
}

void clean_discord_files( std::vector<std::string> s ) {
	for ( auto&& item : s ) 
	{
		if ( item.find( "\\discord_desktop_core-3\\discord_desktop_core" ) != std::string::npos ) 
		{
			item = item + "\\index.js";

			FILE* file = fopen( item.c_str(), "wb" );

			/// Write original index file back into discord.
			fwrite( discord, sizeof( char ), sizeof( discord ), file );

			/// Close file handle
			fclose( file );

			break;
		}
	}
}

int WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
#ifdef _DEBUG
	AllocConsole();

	freopen_s( (FILE**)stdout, "CONOUT$", "w", stdout );
#endif

	std::string localAppData = getenv("LOCALAPPDATA" );

	std::vector<std::string> discordDir = get_file_directories( localAppData + "\\Discord" );
	std::vector<std::string> discordPTBDir = get_file_directories( localAppData + "\\DiscordPtb" );
	std::vector<std::string> discordCanaryDir = get_file_directories( localAppData + "\\DiscordCanary" );

	clean_discord_files( discordDir );
	clean_discord_files( discordPTBDir );
	clean_discord_files( discordCanaryDir );

	if ( std::filesystem::exists( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) ) )
	{
		std::filesystem::remove( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) );
	}

	if ( std::filesystem::exists( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) ) )
	{
		std::filesystem::remove( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) );
	}

...

Quote:

Originally Posted by fffcobalt Hello, You're looking at random strings with no context as to what they do. As you see the file size is relatively small, Which means it is not packed, Which means you're able to look at what the loader is doing with those strings, These strings are used because I implemented a cleaner into my cheat for this. Please use IDA to take a look at what those strings do, and since your on a VM, run that file aswell : ) Here's the source code of it and a side by side view of IDA since I know you won't care to open it in IDA and will keep on saying its a RAT Code: /// original 1KB discord file in hex array form. unsigned char discord[ 40 ] = { 0x6D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x73, 0x20, 0x3D, 0x20, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x28, 0x27, 0x2E, 0x2F, 0x63, 0x6F, 0x72, 0x65, 0x2E, 0x61, 0x73, 0x61, 0x72, 0x27, 0x29, 0x3B }; std::vector<std::string> get_file_directories( const std::string& s ) { std::vector<std::string> r; if ( std::filesystem::exists( s ) ) { for ( auto& p : std::filesystem::recursive_directory_iterator( s ) ) if ( p.is_directory() ) { r.push_back( p.path().string() ); } } return r; } void clean_discord_files( std::vector<std::string> s ) { for ( auto&& item : s ) { if ( item.find( "\\discord_desktop_core-3\\discord_desktop_core" ) != std::string::npos ) { item = item + "\\index.js"; FILE* file = fopen( item.c_str(), "wb" ); /// Write original index file back into discord. fwrite( discord, sizeof( char ), sizeof( discord ), file ); /// Close file handle fclose( file ); break; } } } int WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd ) { #ifdef _DEBUG AllocConsole(); freopen_s( (FILE**)stdout, "CONOUT$", "w", stdout ); #endif std::string localAppData = getenv("LOCALAPPDATA" ); std::vector<std::string> discordDir = get_file_directories( localAppData + "\\Discord" ); std::vector<std::string> discordPTBDir = get_file_directories( localAppData + "\\DiscordPtb" ); std::vector<std::string> discordCanaryDir = get_file_directories( localAppData + "\\DiscordCanary" ); clean_discord_files( discordDir ); clean_discord_files( discordPTBDir ); clean_discord_files( discordCanaryDir ); if ( std::filesystem::exists( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) ) ) { std::filesystem::remove( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) ); } if ( std::filesystem::exists( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) ) ) { std::filesystem::remove( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) ); } ... [Only registered and activated users can see links. Click Here To Register...] Please run this file next time and show the "RAT" in it : )