Reposted here because other post is wrong forum.
Here is analysis on the malware within W thunder sell by patriot USA. I will make it shorter
On Jul 1, after long await update, W-thunder finally work again.
I were using W-thunder for a long time and was doing analyze back then to defend it again rat allegation back then.
please note that the setup i use was always the same! it never changed!
everything, the PC, the unifi console,... it the same setup.
after certain hour of play i got first warning from my Unifi console.
At first, this look like just a false warning! so i ignored it.
about 4 hour later i turn off the cheese and proceed as normal daily life.
this thing pop up, i didnt mind much. As again it could be just false alarm.
about later on the same day. aprox 11p edt
and then at 3am (which im not playing by this time)
same next day
the trend repeat on jul 3 even tho i didnt even play any during these hour.
at this point i realized something is messed up with the PC so i do clean install.
Tho this malware most commonly find on crack software but i only use licensed software or trusted open source. there is no chance this would cause a problem or it would pop a massive reddit post about that software.
It is that time i remember why the first indicator happen in the first time.
so what i do is getting wireshark, port master, ph2 to see what goin on.
after spending hour filtering out network noise and telemetry. It testing time.
at first beside connection to frankurt in german, nothing went side way, (my console not even pic up the malware alert) this make me think that there prob some file got infected and the clean install cleaned it too.
By Jul 4 like most american, i spent most of my day with family and outdoor.
when i got home, this is what i get
at this point my threat vector is very clear as only 2 thing really install on my PC is warthunder and W-thunder or ASWT as u want to call it.
ask my team which is a bunch of nerd working in IT and network specialist.
And they picking up same stuff despite we are on different continent.
After we nuke our PC one last time, the attack stop.
This for us is enough to conclude the attack:
Method of attack: Dnslivery
type of malware: Vipersoftx
how user get infected: inject.
reason why this isnt the false alarm:
- Heartbeat call even after user restart their pc(yes it always a good thing to restart ur pc right after you done playing)
- heartbeat while they not using chese.
- heartbeat signal is huge and endcoded.
- Heartbeat attempt to invoke shell.
- If malware detected on inject, you would expect it to be incoming traffic when it load DLL instead of outgoing
-------------
The mistake part of me is i didn't save a copy of Wireshark TCPdump which also have signal of this traffic going out and dns coming in. I sadly nuke it in the last nuke.
I recommend people to test for themself and judge for themself!
I recommend user who have use this product do a full clean reinstall their PC!
I do hope the dev of cheat realized what going on and it might be their system got compromised.
Stay safe!