New is spreading. Apparently Quant also stole code from NVE and used code from RDR2. I wonder how many systems have been compromised. People don't expect a trojan or virus in paid software, so it is the perfect trap.
Yesterday 7:48 AM : I was informed that there was some lore being spread regarding ‘a trojan virus with drive exterminator’ in the native DLLs bundled with QuantV. Yesterday 7:52 AM : A buyer sent a copy of a legitimately purchased version of QuantV to me for analysis. Yesterday 8:07 AM : Analysis started on QuantV.asi, with a file time of September 1, 2022 8:06 AM , a PE timestamp of August 29, 2022 5:34 PM , and a SHA256 hash of 5cfd77770ebbb279f6d998c7d000724259a6c9bb013f3a70a3940337441bf5e6. Yesterday 8:14 AM : Code that contained a list of drive letters and called system() on some obfuscated (XOR’d) string was discovered. Investigation continued. Yesterday 8:51 AM : A tweet 380 informing about this was posted. As the lore was already being spread, this was considered a responsible course of action. Yesterday 3:30 PM : More investigation was performed, enbhelper.dll was confirmed as malicious as well, and it appears that a non-functional internet connection will ‘nullify’ the HTTP check at least. The plugin also seems to use/store a flag in some .ini file, as well as a x64\data\errorcodes\romanian.txt in the game directory being used as a trigger flag. Today 1:13 PM : A newer build has been released (with file times of September 4, 2022, and a few days newer PE timestamp) which does not include the malicious code in QuantV.asi, though it still is included in enbhelper.dll. Regrettably, the author denies having been involved in this, instead going with FUD explanations, looking like a cover-up operation. Notably, however, both versions very much look built from the same source code, and the server checks using the same XOR string library are still in.