3. QuantV Malware
Log in to reply
 

QuantV Malware

  • C

    Breaking info:

    The 'QuantV' graphics mod for GTA V (which also offers a version for FiveM) has been claimed to contain code to remotely wipe files (in case of remote admin decision?)

    Initial investigation shows these claims are correct.

    Developing story, more updates soon.

    https://twitter.com/FiveM/status/1566046205041410049

    https://www.sportskeeda.com/gta/news-quantv-graphics-mod-gta-5-found-serious-malware

    To be precise, the offending code is in the 'QuantV.asi' file, which contains oddly obfuscated strings that, among other things (still to be investigated), runs rmdir on an enumeration of drive letters.

    7
  • C

    New is spreading. Apparently Quant also stole code from NVE and used code from RDR2. I wonder how many systems have been compromised. People don't expect a trojan or virus in paid software, so it is the perfect trap.

    https://www.lcpdfr.com/forums/topic/124661-quantv-malicious-code/

    https://rage.re/t/quantv-rmdir-s-q-incident-report-2022-09-03/92

    Timeline

        Yesterday 7:48 AM : I was informed that there was some lore being spread regarding ‘a trojan virus with drive exterminator’ in the native DLLs bundled with QuantV.
    Yesterday 7:52 AM : A buyer sent a copy of a legitimately purchased version of QuantV to me for analysis.
    Yesterday 8:07 AM : Analysis started on QuantV.asi, with a file time of
    September 1, 2022 8:06 AM , a PE timestamp of
    August 29, 2022 5:34 PM , and a SHA256 hash of 5cfd77770ebbb279f6d998c7d000724259a6c9bb013f3a70a3940337441bf5e6.
    Yesterday 8:14 AM : Code that contained a list of drive letters and called system() on some obfuscated (XOR’d) string was discovered. Investigation continued.
    Yesterday 8:51 AM : A tweet 380 informing about this was posted. As the lore was already being spread, this was considered a responsible course of action.
    Yesterday 3:30 PM : More investigation was performed, enbhelper.dll was confirmed as malicious as well, and it appears that a non-functional internet connection will ‘nullify’ the HTTP check at least. The plugin also seems to use/store a flag in some .ini file, as well as a x64\data\errorcodes\romanian.txt in the game directory being used as a trigger flag.
    Today 1:13 PM : A newer build has been released (with file times of September 4, 2022, and a few days newer PE timestamp) which does not include the malicious code in QuantV.asi, though it still is included in enbhelper.dll. Regrettably, the author denies having been involved in this, instead going with FUD explanations, looking like a cover-up operation. Notably, however, both versions very much look built from the same source code, and the server checks using the same XOR string library are still in.
    2
  • M
    MODERATOR

    @Ch1town83lt9 We are aware of the (confirmed) issue. A public announcement is being prepared by the team, and one of us will post it shortly.

    "Are you having fun? You remember fun? It's that thing you pretend to have while documenting every moment, meal and faux memory. I've got a challenge for you: turn your phone off for a day and see how uncomfortable you get." -- Cara Delevingne

    2
  • A

    @Ch1town83lt9 The people who got their drives wiped aside, I highly believe rockstar and take2 also sue this prick as well. Because for my knowledge, an .asi or .dll file can't do a drive wipedown on their own. However when these files somehow tell an executable file they are injected (which is gta5.exe in this case) to order a wipedown, this can be absolutely done.

    So from my understanding, he is using gta5.exe as a bridge to carry out his malicous code which would be using a company asset to deliver a virus. So yes, I hope at least the trigger happy take2 who were shut down openiv before and now shutting down major map mods sues him to the court and that prick rots in hell. This is a legit cyber crime....

    and he is throwing random bullshit excuses like "oohhhh no one stealing your data", "oh I didn't know anything about that".... It is your own code you dumba** and you say you are the only person developing quant, how the FFFF you can't know what the FFFF you did.................

    0
  • M
    MODERATOR

    @Aurora11 said in QuantV Malware:

    @Ch1town83lt9 The people who got their drives wiped aside, I highly believe rockstar and take2 also sue this prick as well. Because for my knowledge, an .asi or .dll file can't do a drive wipedown on their own. However when these files somehow tell an executable file they are injected (which is gta5.exe in this case) to order a wipedown, this can be absolutely done.
    So from my understanding, he is using gta5.exe as a bridge to carry out his malicous code which would be using a company asset to deliver a virus

    Sorry, bud, that's not how it works. :) An .asi can simply execute a shell command, to execute a regular DOS command. (Which is, in fact, what happened here: a series of rmdir and assorted commands to delete files on all your drives). GTA5.exe itself is not involved in any way (save to run SHV).

    "Are you having fun? You remember fun? It's that thing you pretend to have while documenting every moment, meal and faux memory. I've got a challenge for you: turn your phone off for a day and see how uncomfortable you get." -- Cara Delevingne

    4
  • J

    @meimeiriver said in QuantV Malware:

    GTA5.exe itself is not involved in any way (save to run SHV).

    Correct.

    I prefer to express it as "GTA5 is blameless". It is "tricked" into loading a modified dinput8.dll which starts the process. Although SHV is a dll, not an asi, nothing happens without the Alexander Blade version of dinpu8.dll.

    However it is indeed SHV which will allow scripts to run and it will allow SHVDN to run native functions as well as the commands such as rmdir (remove directory) and allow the file deletions. I don't know shit about QuantV, whether it is a plugin or just a "regular dll" (albeit con trojan), other than I've written many times that these visual enhancements mods are garbage although I never expected this. No interest, no installation, no worries.

    @Aurora11

    Hi.
    Unfortunately, @meimeiriver is right. These asi plugins and .dll libraries can run C++ or dot net languages that will be undetected by VirusTotal or anything else.

    They can do incredible damage, the same damage pirated games can do. And the process, as I wrote above, is because games look for dinput8.dll in their own folders before looking at system32 for dinput8.dll. And we all agree, hopefully, that to put any blame on AB would be totally ridiculous.

    I don't use scripts and I don't install pirated games for those reasons. Well the scripts, for stability and I like to DIY/tinker even though I'm not a programmer.

    As for punishing Quant? He can't be sued if he doesn't have any money, nobody will bother mounting a legal prosecution, and he likely lives in a country where such actions are not necessarily condoned, but rather just ignored.

    To the conspiracy nuts however, this ofc would give R* (or Take Two if you prefer) the ammunition to end modding of GTA5, as we know it, once and for all - but don't hold your breath. You aren't going to see a press release that RAGE will be modified to end modding in light of this incident - I don't think they could care less.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    2
  • MODERATOR

    @JohnFromGWN FYI Quant lives in the same country as I do, Spain :flag_es:. Malware is of course something pursued but I'm not sure if any action will be taken against Quant. We know his real name (since long ago) because it appears in both the spanish commercial register ("Registro Mercantil") and the State official newsletter ("Boletín Oficial del Estado" aka "BOE").

    Join us in the 5Mods Discord -> No GTA:Online. Singleplayer ONLY.
    imgur

    2
  • J

    @Reyser Good to know. I wasn't thinking españa. Was thinking of another country that shall remain nameless for obvious reasons.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • M
    MODERATOR

    @Reyser There are several legal remedies possible.

    1. In many Western countries, installing malware (or have it execute) on another person's computer opens you up to criminal exposure.

    2. There's also a Civil route; and perhaps the most opportune one, as I heard it reported that Quant pulls ca. $10K a month from his QuantV mod (not sure how reliable that number is). And, those affected, can definitely prove (severe) damage: lost data, lost time, loss of income as a result, etc. Whether someone actually will sue him, is another matter. But I would personally definitely have done so if his little stunt had affected me.

    Also, in more general terms, nobody likes pirated use of their software. But even MS -- or any other self-respecting software company, for that matter (like Rockstar, to stay on point) -- would ever resort to such draconian, retaliatory measures as Quant did. A normal company usually sends you a polite notice, along with the suggestion that maybe you thought you had bought their software from a legit dealer (a legally correct stance), but that there's nonetheless a problem with your license, and please contact us.

    What Quant did, is simply inexcusable.

    "Are you having fun? You remember fun? It's that thing you pretend to have while documenting every moment, meal and faux memory. I've got a challenge for you: turn your phone off for a day and see how uncomfortable you get." -- Cara Delevingne

    2
  • N

    For this reason I think it would be interesting and healthy for this community if they applied an open source rule to the scripts part. I in particular don't like to install scripts that are not open source. As a programmer I know how harmful a "dll" or "asi" can be.

    2
  • J

    @meimeiriver said in QuantV Malware:

    And, those affected, can definitely prove (severe) damage: lost data, lost time, loss of income as a result,

    He is definitely a scumbag and should definitely be prosecuted, however the burden of proof in most countries will be on the accusers.

    I'm not a lawyer but how can you prove any prejudice or damages, particularly from a leaked version but even from a misbehaved legal version, let alone financial damage.

    The following is just speculation on my part, just for discussion, not argument. Anyone who used a leaked version will be likely discredited as thieves but one illegal act doesn't justify another.

    However event logs, if any, can be faked and that's what the defense could argue. So how could someone prove, beyond any reasonable doubt, that their files were indeed wiped, or similarly prove they suffered monetary losses?

    Also the scumbag already claims this was done by others on leaked copies, which is BS, since the code was found in the legal versions.

    So it will require someone who purchased it legally but installed it on a different server, legally, with damages to step forward and sue for those damages.

    I hope im wrong, that this will play out differently, and he pays a severe penalty for this, also sending a message to others. Hopefully just the act of having installed the trojan will suffice. Like someone planning a murder or planting a bomb.

    Criminal intent or negligence is punishable.

    I remember, in the past, reading similar stories, where developers thought setting traps in their software would deter piracy. Another example of one illegal act not justifying another.

    On a final note, without in any way condoning or legitimizing piracy, in today's web while it is clear when mainstream software like GTA5 or Photoshop are pirated and inexcusably downloaded, the same isn't true for mods. Except for sites clearly identified as leak sites, a casual user could relatively easily download and install QuantV from some site without even knowing it was illegal and lose their data as a consequence. But in those cases, ignorance wouldn't be a legal argument to sue.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • J

    @Niziul

    Fully agree. Unless the script is open source and ofc inspected, there isn't any guarantee it is safe. And virus scanning is not appropriate for customized scripts.

    An OIV can also do damage, often by stupidity rather than bad intentions, but at least they can be inspected.

    Asi mods are the most dangerous given hard if not impossible to decompile, but even then the average user won't have a clue how to decompile a dll. They won't even have a clue how to unarchive an OIV.

    Edit: with the exception of mainstream tools like OpenIV, Codewalker, and the texture toolkit, i never install any mods with .exe files. Same goes for asi files accept the established ones, and never an OIV.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    2
  • N

    @JohnFromGWN said in QuantV Malware:

    Fully agree. Unless the script is open source and ofc inspected, there isn't any guarantee it is safe. And virus scanning is not appropriate for customized scripts.

    Exactly. I in particular every time I see a new script, which is open source, I take the time to have a look, although normally performing a code inspection is something difficult, it is not the case with many scripts as they are mostly short and built with only a few lines of code or even the whole script is built on a single class that makes it easy to find something unusual in a scroll.

    1
  • M
    MODERATOR

    @JohnFromGWN said in QuantV Malware:

    I'm not a lawyer but how can you prove any prejudice or damages, particularly from a leaked version but even from a misbehaved legal version, let alone financial damage.

    For starters, 'prejudice' (did you mean 'malicious aforethought'/criminal intent? can be proven pretty easily. Even a single look at those lines of codes clearly shows mens rea.

    The following is just speculation on my part, just for discussion, not argument. Anyone who used a leaked version will be likely discredited as thieves but one illegal act doesn't justify another.

    Indeed, "Two wrongs don't make a right," as they say.

    I remember, in the past, reading similar stories, where developers thought setting traps in their software would deter piracy. Another example of one illegal act not justifying another.

    The only big one I know of who ever pulled this was Sony (with their infamous CD rootkit: an act whch has hunted them for years, reputation-wise).

    "Are you having fun? You remember fun? It's that thing you pretend to have while documenting every moment, meal and faux memory. I've got a challenge for you: turn your phone off for a day and see how uncomfortable you get." -- Cara Delevingne

    2
  • M
    MODERATOR

    @JohnFromGWN said in QuantV Malware:

    @Niziul

    Fully agree. Unless the script is open source and ofc inspected, there isn't any guarantee it is safe. And virus scanning is not appropriate for customized scripts.

    An OIV can also do damage, often by stupidity rather than bad intentions, but at least they can be inspected.

    Asi mods are the most dangerous given hard if not impossible to decompile, but even then the average user won't have a clue how to decompile a dll. They won't even have a clue how to unarchive an OIV.

    Edit: with the exception of mainstream tools like OpenIV, Codewalker, and the texture toolkit, i never install any mods with .exe files. Same goes for asi files accept the established ones, and never an OIV.

    The only truly efficient way to mitigate the effects of such malware is to simply NOT run V as root/admin. Most people are lazy, though, as run all their software with admin privileges, so a full wipe-attempt will, indeed, be quite successful. Using an unprivileged account to run GTA V would perhaps cost you some personal documents under that account, but not much more.

    "Are you having fun? You remember fun? It's that thing you pretend to have while documenting every moment, meal and faux memory. I've got a challenge for you: turn your phone off for a day and see how uncomfortable you get." -- Cara Delevingne

    1
  • J

    @Niziul GIven 99% of users install windows on a drive or partition called C, i will do a quick search on all text files in a project or sln using a free search utility for strings such as c:\ and similar searches for del or delete or dir. However as you wrote a visual search is usually all that is necessary. I also will limit myself to people i trust like yourself, @Jitnaught , and @JustDancePC .

    GIthub is also generally safe, but again would never trust an exe without researching it first.

    Having said that, backing up data on external drives, disconnecting them if required, and doing a system backup or image is the only guaranteed way of preserving your data from malware or disk failure or even theft.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    2
  • J

    @meimeiriver there are also acts, which might not be illegal, but are unethical and clearly invasions of privacy. Google and Facebook are prime examples.

    On a stranger note, I have a Samsung TV which is equipped with a camera, as sold. Apparently Samsung was using this feature to learn more about its users. My camera was quickly disabled. Yes i was using a euphemism for spying.

    https://www.zdnet.com/article/fbi-warns-about-snoopy-smart-tvs-spying-on-you/

    P.S. for prejudice i meant in the legal sense, that the user suffered in some way, that it wasn't a so called victimless act.

    And yes fully agree that intent is punishable and i do wish there will be harsh consequences for this individual, but there is a difference between intent, which is as you stated already proven, and loss of revenue or loss of data as a consequence.

    What i meant is that damages will be harder to prove, it may be difficult to quantify financial losses. This would not apply to a gamer, it would only apply to say an RP commercial server which was impacted, but again, how to quantify the extent? Not saying it can't.

    So more likely a jail sentence or financial penalty for Quant rather than sued for damages by individual parties.

    Where I live, a class action suit could be instigated easily as the law here facilitates these procedures.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    2
  • J

    @Niziul i should add I always look at the code, not for malicious code, but in the hope of understanding how and what it does, learning something in the process, and if necessary modifying it to better meet my objectives. This kills two birds with one stone given the review of the code, for the purpose of learning, will also reveal deception.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • MODERATOR

    alt text

    too funny not to share, 'do you want malicious code in your purchase, yay or nay'

    » "if you're packin' keep it on the lee low"

    3
  • N

    @JohnFromGWN Yes, I have learned a lot by looking at people's code.

    1
  • A

    @meimeiriver Sorry I didn't know. But from the other aspect, his malware is still using gta 5 to carry out it's task. Unless you open the game it doesn't do anything so it is using the game as a bridge to wipe the drives. And in my opinion, even if it doesn't make gta5.exe to wipe the drive, the fact that it is still using gta 5 to execute the virus still a reason for take2 to sue him to the court.

    @JohnFromGWN If this way done in a way that the malware only deletes the quant itself if found it is pirated, I would be ok with it. Wouldn't be an ethical way but I would understand it to some extend. But wiping out all the drives, which just like you said anyone could also download it without knowing what really is it at the first place, that is inexcusuable. People might have lost tremendously important data because of this shit. Well yes such data should always be backed up but they simply might have their external hard drive plugged in as well, and no one really using CDs anymore (which is the only reliable and safest way to store data). For this reason he needs to serve a jailtime for cyber crime. Spain cyber security police should confiscate all of his digital devices and run a deep scan.

    and lmao that screenshot @ReNNie shared :rofl: :rofl: "nobody is stealing your personal data". Well of course not, cuz there is no personal data being left to steal you dumbass playing dumb.........

    But anyway, now that NVE became free, Imma just use that one anyway. Quant was malicious even from the beginning. I was installed it's v2 free public version and was lost all of my enb and reshade because of <delete> command he put inside the assembly.xml :@ :@ Then contacted to OpenIV team to give people a warning and secondary confirmation when there is a delete command inside the assembly.xml while installing the mod throught the .OIV, they said they will investigate it but of course nothing happened. So yeah, big F word that Quant, I hope he drowns in ocean so at least his miserable puny weakling body can feed the starving sharks............

    2
  • J

    @ReNNie I'm guessing this is a lame attempt to disassociate himself from the crime, probably based on the advice of one of his friends who flunked out of law school.

    The logic: make it publicly known that the code in question is optional. If you want your data wiped clean, yes we offer that feature but at your discretion. We give you the flexibility to keep your data or destroy it, entirely your choice.

    I use discord for coop gaming only, i know shit about its servers, but I'm assuming Quant and his buddies are the ones who mashed the 43 tickmarks.

    Love his comment about scanning files. Not only would his trojan code remain undetected, but he is essentially making a very honest statement here.

    Come on community, let's give him some deserved praise for his newfound honesty. He's finally admitting that it's advisable to scan his software for his version of an easter egg. It's not a trojan, it's a valuable feature at no extra cost.

    I wonder if he'll look good in orange assuming that's the colour they use in Spain.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • J

    @Aurora11 he is a piece of shit and it is widely acknowledged he stole code, that he is a thief. OP mentions this too.

    Whether true or not, about his code theft, what he did is wrong on so many levels.

    The biggest proof he is full of shit is that he originally denied the presence of the malicious code. Instead he blamed it on leakers and then went offline.

    Realizing he had been caught in a lie by reviewers investigating legitimately purchased versions of QuantV and facing possible criminal prosecution he apparently changed his story to more bullshit that the code won't steal data, again deflecting the real issue which has nothing to do with data theft but rather data destruction.

    Once more he is playing dumb by pretending he has no idea what's going on. Why am i being accused of stealing data? Oh, someone said i was wiping data? Lol jajaja (Spanish for hahaha). No, no, no entiendes. You don't understand. I never intended to wipe data, no, not at all. It's just an option i offer users.

    Dickwad. Not you, I mean Quant or, as he is known in Spain, hijo de puta.

    Edit. Again what @ReNNie posted leaves no doubt of a feeble attempt to fool everyone into thinking that was an acceptable practice, harmless, and out of tremendous respect for his users he will actually remove it.

    All this after denying the code existed and blaming the malware / trojans on leakers.

    A better story, and it's kinda late for Quant to use it, would have been deny all involvement from the start and claim his website had been hacked repeatedly with each version update and he was unaware. Instead he denied the existence of this code until it was disproven, his lie exposed, by independent review.

    As someone wrote, he gave a blackeye to the modding community. He must be held accountable.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • J

    If prosecuted, hard time denying the evidence

    And this one's comments made me lol.

    [ GTA 5 Help Desk ] -- [ How to Install Mods ] -- [ GTA 5 Mods Absolute Beginner FAQ ]

    1
  • MODERATOR

    Ah you already found these, good

    Love the can can music under it

    » "if you're packin' keep it on the lee low"

    0
Log in to reply
 

Looks like your connection to GTA5-Mods.com Forums was lost, please wait while we try to reconnect.