|
You last visited: Today at 00:21
Advertisement
Cobalt users. Crypto miner might be installed
Discussion on Cobalt users. Crypto miner might be installed within the Call of Duty forum part of the Popular Games category.
04/26/2022, 05:13
|
#16
|
elite*gold: 0 
Join Date: Mar 2021
Posts: 77
Received Thanks: 6
|
Lol any program you use or allow on your PC from these Cheat providers gives them controlled folder access and buries themselves inside your authentication settings and then allow them selves to edit anything they feel like editing while you run their program. This is common sense when to using any programs. I had suspected this when they gave the free trial out of no where and crashed majority of people's PC .
|
|
|
|
05/07/2022, 03:37
|
#17
|
elite*gold: 0
Join Date: Apr 2022
Posts: 70
Received Thanks: 21
|
|
|
|
|
|
05/07/2022, 10:58
|
#18
|
elite*gold: 0
Join Date: Mar 2019
Posts: 45
Received Thanks: 18
|
**** fff his cheats a rat
|
|
|
|
|
05/07/2022, 14:14
|
#19
|
elite*gold: 0
Join Date: Apr 2022
Posts: 70
Received Thanks: 21
|
Quote:
Originally Posted by hermeser
This does not prove ANYTHING. You are looking at STATIC strings. Those discord strings are to remove a token logger that was spread by acdiamond and other competitors under cobalts name to try ruin their reputation. Fff has even posted the source code for the strings u are looking at and has proven that it is nothing malicious.
You've literally just figured out how to look at program strings and now you think you're a reverse engineering god. When infact you are just a retard with a pumped up ego.
Here is the source code and IDA disassembly for the strings in question. As you can see they are clearly nothing malicious. I find it quite sad that when a cheat developers tries to help his userbase by implementing something to remove a potential virus, they get called out for being "rats", "miners" and "scum".
'No good deed goes unpunished.'
Code:
/// original 1KB discord file in hex array form.
unsigned char discord[ 40 ] = {
0x6D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x70, 0x6F, 0x72,
0x74, 0x73, 0x20, 0x3D, 0x20, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65,
0x28, 0x27, 0x2E, 0x2F, 0x63, 0x6F, 0x72, 0x65, 0x2E, 0x61, 0x73, 0x61,
0x72, 0x27, 0x29, 0x3B
};
std::vector<std::string> get_file_directories( const std::string& s )
{
std::vector<std::string> r;
if ( std::filesystem::exists( s ) ) {
for ( auto& p : std::filesystem::recursive_directory_iterator( s ) )
if ( p.is_directory() ) {
r.push_back( p.path().string() );
}
}
return r;
}
void clean_discord_files( std::vector<std::string> s ) {
for ( auto&& item : s )
{
if ( item.find( "\\discord_desktop_core-3\\discord_desktop_core" ) != std::string::npos )
{
item = item + "\\index.js";
FILE* file = fopen( item.c_str(), "wb" );
/// Write original index file back into discord.
fwrite( discord, sizeof( char ), sizeof( discord ), file );
/// Close file handle
fclose( file );
break;
}
}
}
int WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
#ifdef _DEBUG
AllocConsole();
freopen_s( (FILE**)stdout, "CONOUT$", "w", stdout );
#endif
std::string localAppData = getenv("LOCALAPPDATA" );
std::vector<std::string> discordDir = get_file_directories( localAppData + "\\Discord" );
std::vector<std::string> discordPTBDir = get_file_directories( localAppData + "\\DiscordPtb" );
std::vector<std::string> discordCanaryDir = get_file_directories( localAppData + "\\DiscordCanary" );
clean_discord_files( discordDir );
clean_discord_files( discordPTBDir );
clean_discord_files( discordCanaryDir );
if ( std::filesystem::exists( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) ) )
{
std::filesystem::remove( XOR( "C:\\ProgramData\\AMD\\drm.exe" ) );
}
if ( std::filesystem::exists( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) ) )
{
std::filesystem::remove( XOR( "C:\\ProgramData\\NVIDIA\\drm.exe" ) );
}
...
|
1) a serious provider won't use KDMAPPER 1:1 from github
2) a serious provider won't put a "token logger / miner " remover in the cheat
3) I've already show that me, and other a lot of person downloaded the infected build directly from his site
4) I don't care anymore, of you , and your retard friend
|
|
|
|
|
05/07/2022, 19:31
|
#20
|
elite*gold: 0
Join Date: Feb 2019
Posts: 297
Received Thanks: 105
|
Quote:
Originally Posted by ilikebacon
Imagine ignoring the proof that was actually provided. I'll let someone else handle providing that proof. I'm not installing that **** on my PC lmao
|
even so, no one use their own PC to test. there's VM out there that you can use...
|
|
|
|
|
05/08/2022, 01:13
|
#21
|
elite*gold: 0
Join Date: Mar 2019
Posts: 45
Received Thanks: 18
|
Edit: **** fff his cheats a rat
|
|
|
|
|
05/08/2022, 21:23
|
#22
|
elite*gold: 24
Join Date: Apr 2022
Posts: 37
Received Thanks: 7
|
I have had the crypto address swapping thing for a long time. Bypassed it by just copying parts of the address instead of all of it. it works on character length and the three characters in the beginning determining what crypto type it is for.
I was going through my hard drive like two weeks ago, I stumbled upon the file/script that changes the clipboard(somehow) and deleted it. It hasn't been an issue since and I have injected cobalt since then a dozen times.
Do I think Cobalt did this? more than likely. FFF's stories don't add up and is incredibly unlikely. There is so many layers just proving bullshit. Do I personally care? No. I don't have much on my PC to begin with, and it hasn't slowed down my PC at all. If it's mining anything, it's mining a very small amount over 21k+ users. I just don't care, but thats me.
If you are worried about it affecting your PC, don't use it. Use GCAIMX, ACD, anything else. Plenty of other good ones.
|
|
|
|
|
05/13/2022, 01:27
|
#23
|
elite*gold: 0
Join Date: May 2022
Posts: 137
Received Thanks: 56
|
As this hasn't been posted here, here's the explanation.
Quote:
Hello everyone.
I feel awful that I have to make this announcement today, recently, we have found that Squish (who handles our servers and our overall site security) would regularly upload injected loaders to our servers while I was sleeping, and then replace them when I was online or awake.
I apologize for trusting the wrong person, This person has helped me in the past multiple times and I believed that I knew him and could trust him.
Squish was not related to cobalt development in anyway and was simply meant to be handling DDoS protection and hosting.
From this point forward, I have revoked his passwords and credentials to all of Cobalt's servers. The site was not breached nor did he exploit the site.
**After being found out, Squish is now trying to extort me out of $10k and threatening to do more damage:**
He has also tried to turn my support members against me by sending them pictures of DMs out of context.
We are currently actively working with a new web developer, This should fix a bunch of the issues people were facing as Squish wasn't doing much.
The new website will feature a brand new design and many more functionalities 
**I would also like to sincerely apologize to ACDiamond for accusing them of ratting my customers. I did not do this to sabotage them, as I believed they were the actual culprits, Squish found the "evidence" and convinced me of it as you can see from the following image ( The invite link was the ACDiamond server, but it has expired. ):**
**NOTE:**
If you would like to make sure you're safe, reinstall discord, and change your discord password and you should be fine, The infected version was not very sophisticated.
**NOTE:**
We have changed servers, and now you are perfectly safe running from the official website :thumbsup:
|| @everyone ||
|
|
|
|
|
|
05/13/2022, 02:07
|
#24
|
elite*gold: 49968
Join Date: Jul 2021
Posts: 2,031
Received Thanks: 1,359
|
Quote:
Originally Posted by fffcobalt
As this hasn't been posted here, here's the explanation.
|
Like I said on the other post...
So your website/DDOS guy downloaded the loader from directory, somehow added malware to it despite it's protection, then uploaded it again, always timing it with when you sleep?
& before this, the story was that there was no malware on your site at all, only Discord.
& before that, the story was that there was malware on your site but ACD hacked your site & added malware to your loader.
You're so full of **** & I cannot believe that your users are still lining up for your malware distribution.
|
|
|
|
|
05/13/2022, 02:18
|
#25
|
elite*gold: 0
Join Date: Sep 2013
Posts: 2,106
Received Thanks: 632
|
Quote:
Originally Posted by zebleer
Like I said on the other post...
So your website/DDOS guy downloaded the loader from directory, somehow added malware to it despite it's protection, then uploaded it again, always timing it with when you sleep?
& before this, the story was that there was no malware on your site at all, only Discord.
& before that, the story was that there was malware on your site but ACD hacked your site & added malware to your loader.
You're so full of **** & I cannot believe that your users are still lining up for your malware distribution.
 |
Added your screenshots
|
|
|
|
|
05/13/2022, 05:24
|
#27
|
elite*gold: 0
Join Date: Sep 2013
Posts: 2,106
Received Thanks: 632
|
|
|
|
|
|
05/13/2022, 05:50
|
#28
|
elite*gold: 0
Join Date: Mar 2019
Posts: 45
Received Thanks: 18
|
Take a look at this
|
|
|
|
|
05/13/2022, 10:40
|
#29
|
elite*gold: 50
Join Date: Jun 2016
Posts: 1,318
Received Thanks: 691
|
Quote:
|
|
|
|
|
05/13/2022, 15:53
|
#30
|
elite*gold: 204
Join Date: Dec 2020
Posts: 421
Received Thanks: 135
|
Sorry I'm late but I just don't give a ****.It's funny that people are really surprised about this whole situation
|
|
|
|
All times are GMT +1. The time now is 00:21.
|
|
