VELOR2 | INTERNATIONAL | OPENING DATE 24.11.2023

[GrindrGrindr]

Quote:

Originally Posted by Anon_z2

After a long analysis by me and my friends we've determined that after running their launcher and getting into a game some cmds pop-up and close in an instant. If you go to %appdata% -> roaming you'll notice some new files. a .bat file that seems to have a couple diff names "giy_SC.cmd", "calc.bat runs as calc.ps1". We've determined that it's a known rat called "ZGRat V1". Additionally it downloads "plugin3.mp4" that is an interesting file as well. Please find the proof below:
You can see the detailed analysis here as well as the replay monitor if you scroll on the webpage:
"plugin3.mp3" file analysis:
And if you all have doubts try to replicate this yourselves

Ty for this info
Happened the same to me, about cmd thing

The question is: antivirus program, with a full scan, detects what you found?

Because someone did like a full scan, but without detecting something

[Anon_z2]

Quote:

Originally Posted by GrindrGrindr

Ty for this info
Happened the same to me, about cmd thing

The question is: antivirus program, with a full scan, detects what you found?

Because someone did like a full scan, but without detecting something

AV isn't always the best way to see if a program is malicious or not. But from what me and my friend have managed to find its a bit more advanced than we thought. If we manage to fully reverse it we'll come with an update.
But as I mentioned go into %appdata% -> roaming and search for the .bat file.
And upload it into an online vm for example to analyze what it does after u run it. I personally recommend https://tria.ge

[GrindrGrindr]

Quote:

Originally Posted by Anon_z2

AV isn't always the best way to see if a program is malicious or not. But from what me and my friend have managed to find its a bit more advanced than we thought. If we manage to fully reverse it we'll come with an update.
But as I mentioned go into %appdata% -> roaming and search for the .bat file.
And upload it into an online vm for example to analyze what it does after u run it. I personally recommend

Can you add me through discord? please

[HappyMajor]

Are you guys sure this is not related to this?

[lekarakos]

Thank *** i stopped playing the server few days before this exploit appeared. I hope you guys didn't open these type of messages. The levels of incompetence from the administration is insane. For many reasons but this is just insane. Velor 3 hype !

[xKorangar]

GG

[Anon_z2]

Quote:

Originally Posted by HappyMajor

Are you guys sure this is not related to this?

From what I've able to see it's a bit different. You just have to run their launcher in order to get ratted. You don't need to click on any items or do anything else. Also their staff and the owner are completely clueless and they assure users "everything is fine" Instead of taking the server offline

[[D]Emy]

They banned me on their discord server for exposing this topic and the subject, such a shame.

[Exploiter1007]

Quote:

Originally Posted by Anon_z2

After a long analysis by me and my friends we've determined that after running their launcher and getting into a game some cmds pop-up and close in an instant. If you go to %appdata% -> roaming you'll notice some new files. a .bat file that seems to have a couple diff names "giy_SC.cmd", "calc.bat runs as calc.ps1". We've determined that it's a known rat called "ZGRat V1". Additionally it downloads "plugin3.mp4" that is an interesting file as well. Please find the proof below:
You can see the detailed analysis here as well as the replay monitor if you scroll on the webpage:
"plugin3.mp3" file analysis:
And if you all have doubts try to replicate this yourselves

I am one of the guys who investigated with Anon and yeah, after reversing a lot of encoded and obfuscated shits, it ended up to be a RAT. I reported to staff as soon as I got infected. I talked with a team manager and he told me it's impossible etc etc. completely neglated after I showed him entirely how the virus works. They are now lying in discord announcements after taking the serverr down that it was completely harmless. Also mentioning that it's something unseen in the metin2 scene, cringe af.
Im mad that I reported this 3 days ago and they are still telling lies about being harmless while hundreds of people are getting infected, in my opinion this is not acceptable, I have a lot of private data in my PC, this can't be tolerated.

They are now muting me on chats and deleting my messages:



EDIT 1:
I got banned for exposing:

[M2Trading]

Quote:

Originally Posted by Exploiter1007

I am one of the guys who investigated with Anon and yeah, after reversing a lot of encoded and obfuscated *****, it ended up to be a RAT. I reported to staff as soon as I got infected. I talked with a team manager and he told me it's impossible etc etc. completely neglated after I showed him entirely how the virus works. They are now lying in discord announcements after taking the serverr down that it was completely harmless. Also mentioning that it's something unseen in the metin2 scene, cringe af.
Im mad that I reported this 3 days ago and they are still telling lies about being harmless while hundreds of people are getting infected, in my opinion this is not acceptable, I have a lot of private data in my PC, this can't be tolerated.

They are now muting me on chats and deleting my messages:



EDIT 1:
I got banned for exposing:

Is it just velor at the moment or are other big servers aswell affected?

[Exploiter1007]

Quote:

Originally Posted by M2Trading

Is it just velor at the moment or are other big servers aswell affected?

It looks like the RCE exploit was already reported before on Metin2 Rodnia. I didn't see any reports on Rodnia and I also play there.

[braxy122]

Dear players and members of the Velor2 community,

We would like to address some of your questions that have been circulating over the past days.

What happened?

- We have faced an exploit that was opening player's CMDs to cause chaos and have attempted to destroy our server by manipulating players into thinking that they got hacked through our client, which was not the case, as everything that has happend was completly harmless.
- Our case was totally diferent from the one posted on m2dev. That's how it started and eventually it ended up being way worse than expected.

Is the server secured now?

After long hours of constant work and stress, we have managed to find and imobilize the problem!
Our server is fully secured and nothing that has happend will ever happen again.

What's happening next?

We have prepared big updates for the upcoming period, alltho this problem has turned ourselfs upside down, we are still ready to work and bring the best updates we can. To be a bit more specific, the next update will be something new for metin2.

We know that we lack communication and we want to apologize for that. This issue has been critical and we never expected to face such problem.

In conclusion, we would like to extend our deepest gratitude to all the players and members of the Velor2 community who supported us during this trying time. Your trust in us and your commitment to Velor2 are the driving forces that motivate us to continue providing you with the best possible gaming experience. Together, we will continue to progress and grow, ensuring that the Velor2 community remains a safe, enjoyable, and thrilling place for all.

Warm regards,
The Velor2 Team

[Anon_z2]

Quote:

Originally Posted by braxy122

Dear players and members of the Velor2 community,

We would like to address some of your questions that have been circulating over the past days.

What happened?

- We have faced an exploit that was opening player's CMDs to cause chaos and have attempted to destroy our server by manipulating players into thinking that they got hacked through our client, which was not the case, as everything that has happend was completly harmless.
- Our case was totally diferent from the one posted on m2dev. That's how it started and eventually it ended up being way worse than expected.

Is the server secured now?

After long hours of constant work and stress, we have managed to find and imobilize the problem!
Our server is fully secured and nothing that has happend will ever happen again.

What's happening next?

We have prepared big updates for the upcoming period, alltho this problem has turned ourselfs upside down, we are still ready to work and bring the best updates we can. To be a bit more specific, the next update will be something new for metin2.

We know that we lack communication and we want to apologize for that. This issue has been critical and we never expected to face such problem.

In conclusion, we would like to extend our deepest gratitude to all the players and members of the Velor2 community who supported us during this trying time. Your trust in us and your commitment to Velor2 are the driving forces that motivate us to continue providing you with the best possible gaming experience. Together, we will continue to progress and grow, ensuring that the Velor2 community remains a safe, enjoyable, and thrilling place for all.

Warm regards,
The Velor2 Team

How was it completely harmless? If that's Really the case go ahead and upload the .bat file in your appdata into tria.ge or a similar platform.
Yall are clearly clueless.
If you still say it was harmless, please enlighten us with your analysis of the .bat file and everything that happened.
I presume you've done one

[Exploiter1007]

Quote:

Originally Posted by braxy122

Dear players and members of the Velor2 community,

We would like to address some of your questions that have been circulating over the past days.

What happened?

- We have faced an exploit that was opening player's CMDs to cause chaos and have attempted to destroy our server by manipulating players into thinking that they got hacked through our client, which was not the case, as everything that has happend was completly harmless.
- Our case was totally diferent from the one posted on m2dev. That's how it started and eventually it ended up being way worse than expected.

Is the server secured now?

After long hours of constant work and stress, we have managed to find and imobilize the problem!
Our server is fully secured and nothing that has happend will ever happen again.

What's happening next?

We have prepared big updates for the upcoming period, alltho this problem has turned ourselfs upside down, we are still ready to work and bring the best updates we can. To be a bit more specific, the next update will be something new for metin2.

We know that we lack communication and we want to apologize for that. This issue has been critical and we never expected to face such problem.

In conclusion, we would like to extend our deepest gratitude to all the players and members of the Velor2 community who supported us during this trying time. Your trust in us and your commitment to Velor2 are the driving forces that motivate us to continue providing you with the best possible gaming experience. Together, we will continue to progress and grow, ensuring that the Velor2 community remains a safe, enjoyable, and thrilling place for all.

Warm regards,
The Velor2 Team

Only CAP, the exploit from m2dev is hardly related to what you are currently facing I'm pretty sure, it's just a python library that shouldn't be used.

If you all claim that it was harmless, explain what were those files. You can't explain because it took me 2 days to get the main payload after many layers of encryption and obfuscation. Of course you have almost inexistent malware analysis experience, otherwise you wouldn't tell your community it's safe to have a .bat file running in your PC.

[SanshiroX]

Quote:

Originally Posted by braxy122

Dear players and members of the Velor2 community,

We would like to address some of your questions that have been circulating over the past days.

What happened?

- We have faced an exploit that was opening player's CMDs to cause chaos and have attempted to destroy our server by manipulating players into thinking that they got hacked through our client, which was not the case, as everything that has happend was completly harmless.
- Our case was totally diferent from the one posted on m2dev. That's how it started and eventually it ended up being way worse than expected.

Is the server secured now?

After long hours of constant work and stress, we have managed to find and imobilize the problem!
Our server is fully secured and nothing that has happend will ever happen again.

What's happening next?

We have prepared big updates for the upcoming period, alltho this problem has turned ourselfs upside down, we are still ready to work and bring the best updates we can. To be a bit more specific, the next update will be something new for metin2.

We know that we lack communication and we want to apologize for that. This issue has been critical and we never expected to face such problem.

In conclusion, we would like to extend our deepest gratitude to all the players and members of the Velor2 community who supported us during this trying time. Your trust in us and your commitment to Velor2 are the driving forces that motivate us to continue providing you with the best possible gaming experience. Together, we will continue to progress and grow, ensuring that the Velor2 community remains a safe, enjoyable, and thrilling place for all.

Warm regards,
The Velor2 Team

could you explain what exactly the problem was so that users can decide for themselves whether everything is ok again?

the statement is completely useless and meaningless.

It sounds like, yes, your Pcs are now in danger and personal data has been leaked, but keep on playing, events are coming soon and nothing else matters