Riigged approved a .sol stealer

[Killer Be Killed]

TL;DR Riigged approved a sol stealer, read below to see what the situation is

What happened?

Yesterday, a thread titled "[Release] Lithic v1.6b (release 2)" was posted. The thread was approved by Riigged but was not checked thoroughly enough.

This is the link to the thread: https://www.mpgh.net/forum/showthread.php?t=1440962

If you follow that link, you will end up on the "Invalid link specified" page. This is not a mistake in the link URL. The post was deleted about an hour ago.

What was the thread?

The thread was a release of a program which was "like haveibeenpwnd.com but for RotMG account themselves". Unfortunately I don't have an archive of the thread, but I do have the preview of the link.



If you want to know what the program looked like/what it did, watch this

which was included in the post.

.sol stealer?

I thought the post looked pretty suspicious, so I downloaded it and did some digging around.

Turns out, there was really obvious sol stealer built into the program. And I mean really obvious.

Again, I didn't archive the post, so I don't have my original comment, but the gist of it was:

The program...

Tries to start a new (hidden) process when the program is run



The process which it starts is hidden within some nested folders in node_modules



That process finds all of your rotmg.sol files, and sends them to a Dis cord webhook.




Why does this matter?

Last time there was an account stealer approved on MPGH, it was a big deal. A post was made detailing what happened, and this gave users which might have been affected a chance to take some action, such as changing their passwords. The minion which approved the malicious program was also investigated and eventually demoted.

Obviously, the last breach had a far greater impact than this one has, so the comparison may be a little contrived, but there are some points that still stand:

• Affected users have no way of knowing they are affected, unless they were lucky enough to see my original comment in the 2 hours it was there before the thread was deleted.
• Anyone who didn't see the program or the comment is none the wiser, and the minions reputation remains clean in their eyes, which it is obviously not.

It is a little suspicious that the thread was approved and no comment was left by the minion which actually approved it. Especially considering how obvious the sol stealer was. I think it's even more suspicious that the thread has now been deleted without a trace of it ever existing.

It gets worse.

If you thought it was bad enough that a minion approved a .sol stealer, then your jaw will fucking drop at the fact that this guy posted two versions of the program, and both were approved.

Yep.

Here is a link to a cache showing the first time the program was posted.

Obviously the minions can't catch every single malicious program, and I don't expect them to. But seriously, this sol stealer was ridiculously obvious, and it was approved both times it was uploaded! Was the file never checked at all?

I hate to be the guy that "CC's in the contractors boss" but seriously, @Ahlwong I think it's unbelievable that the minions can approve two sol stealers, then act like it never happened.

What about the people who actually downloaded the program and run it? How will they ever know they were affected by a sol stealer if there is no announcement of this event occurring?

Misc.

Link to an Imgur album containing screenshots of the sol stealer code.

Link to a pastebin containing the code of the decompiled program.

Link to a pastebin containing the Hookblock.exe code that was referenced by the program.

Link to the cache of the first version posted.


If nothing else happens, at least make some kind of announcement letting people know that they may have been affected if they downloaded and used this program.

[En236]

yea i was gonna point out that it seems sketchy but i didnt say something about that since it was mod approved. really comes to show how this place has been lately

[[MPGH]Ahl]

Users who downloaded the attachments:

Lithic 1.6b v1:
@ @BoredBro
@ @weetu
@ @mr hai
@ @plsbegood
@ @AllYourX


Lithic 1.6b v2:
@ @Sadat
@ @manchesterek
@ @Averain
@ @Maltense
@ @SnugglyBanana
@ @citydrifter

Please secure your account ASAP if you ran this program.

It is possible the accounts may have lost characters, pets and items already.

Since the file is a .sol stealer, you just need to delete it from your computer.

On behalf of MPGH Staff, we're sorry these 2 files got through.

[mr hai]

So.. am I fine if I change my password and delete the file from my computer?

[[MPGH]Ahl]

So.. am I fine if I change my password and delete the file from my computer?

Yes.

If you used your RotMG password for anything else, I recommend changing those as well just to minimize any potential risks of this person trying to access other accounts.

[citydrifter]

I have the files in recycle bin lol... I also thought it was yoinked since it was scanning in the Macromedia directory but never had the time to fully decompile and check. When something is too good to be true or so useless it probably is so. when he left the node_modules that's a dead giveaway.

[hokko]

I have the files in recycle bin lol... I also thought it was yoinked since it was scanning in the Macromedia directory but never had the time to fully decompile and check. When something is too good to be true or so useless it probably is so.

How do you know it was scanning in the Macromedia directory?
What software you used to detect it?

[citydrifter]

How do you know it was scanning in the Macromedia directory?
What software you used to detect it?

.Net decompiler
Actually I'm not sure but It would iterate over all the files in chrome(user data) he could've even stolen cookies if he wanted.
Form1.resx file (used base64 encode)was the file that created the binary HookBlock once you open it. It looked for the popular rotmg.sol created by the 059.swf

[BoredBro]

As I said useless rotmg section minions xD one of the advantages of running programs in sandbox

[Riigged]

As I said useless rotmg section minions xD one of the advantages of running programs in sandbox

With that logic, wouldnt everybody be useless? Get it? Because you called me useless for one mistake? And each and every person in the world has made thousands of mistakes? Haha? Hahahaha?

My point is you are in no position to call anybody useless¿

[citydrifter]

As I said useless rotmg section minions xD one of the advantages of running programs in sandbox

tbh you can analyze with fiddler and see what api is the program using like it should be required to use localhost like krelay or run in a VM and take the time to analyze the software if you don't know anything about code too. I hate to admit but I can't agree enough with you.

[BoredBro]

But fiddel is to analyze the traffic among other things in a sandbox this type of malicious program does not represent any threat, and that should be the work of the minions, for example if KBK had not exposed that nothing would have been known, another example the because they banned the publication of CC without further ado, all my comments about the minions are sarcasm but from the moment they applied they should have been aware of this kind of situations everyone knows that a minion is not paid or that they have a life real but they should also be aware of their limitations in accepting a role like this

[Riigged]

all my comments about the minions are sarcasm but from the moment they applied they should have been aware of this kind of situations everyone knows that a minion is not paid or that they have a life real but they should also be aware of their limitations in accepting a role like this

good way to put it. that is why i am resigning. ive been trying to get this position for 5 years+, back then, i wouldve punched 9 holes in my wall and screamed for 2 hours after getting the minion position, along with spending 10+ hours daily on the site (yes it was ACTUALLY that bad, ask anybody who knew me back then, I was an MPGH ADDICT), but when I got it months ago, it just wasnt as exciting, and up until a few weeks ago, ive rarely even been coming on, just doing a casual moderation check once a night basically, its getting to the point where its not that i dont have time to moderate, but i dont even have time to flip open my laptop unless its for business (i bought the laptop due to being out of the house so much away from my desktop). of course, now i am 20 years old with a management position irl so you can imagine how much time I DONT HAVE, like for fucks sake look at my damn avatar its still christmas themed.

so when i downloaded this guys file, i decompiled it and skimmed (because i have no time like it really aint a joke i cant stress it enough) the code and saw nothing wrong. i saw that it messed with the .sol file but i didnt know it was being sent outside of the program, mainly because the program i decompiled and read code from, wasnt the program that executed it, there was apparently a hidden program in one of the folders, and i didnt even check the folder so i didnt even know there was a program hidden, so i am sorry to anyone who possibly got affected (pretty sure none, though).

and i dont think CC got banned from being posted, its just that when CrazyJani is active, only he gets posting privileges since its his creation (why u think 059 clients always posted by 059, hes not always the first to post it, but its his cheat so he gets first), as long as hes not actively posting a CC every update, im pretty sure CC is fine to upload

[RealmServices]

Rip another minion.

[Riigged]

Rip another minion.

well i resigned because me having no time to sit down and check files THOROUGHLY is what caused this situation.. and with my schedule i really have no time ever at all so it would be bound to happen in the future again if i stayed on as staff so i resigned lol