QuantV "rmdir /s /q" incident report (2022-09-03)

This topic contains a timeline and rough summary on the findings regarding the ‘QuantV’ disk wiping incident.

Context

QuantV is a third-party ‘graphics mod pack’ for GTA V, being sold on Patreon by its creator (‘Quant’). It bundles a few plugin DLLs to set shader parameters for the ENBSeries shader patching library, and help with making screenshots.

Timeline

  • 2022-09-03T11:48:00Z: I was informed that there was some lore being spread regarding ‘a trojan virus with drive exterminator’ in the native DLLs bundled with QuantV.
  • 2022-09-03T11:52:00Z: A buyer sent a copy of a legitimately purchased version of QuantV to me for analysis.
  • 2022-09-03T12:07:00Z: Analysis started on QuantV.asi, with a file time of 2022-09-01T12:06:34Z, a PE timestamp of 2022-08-29T21:34:35Z, and a SHA256 hash of 5cfd77770ebbb279f6d998c7d000724259a6c9bb013f3a70a3940337441bf5e6.
  • 2022-09-03T12:14:00Z: Code that contained a list of drive letters and called system() on some obfuscated (XOR’d) string was discovered. Investigation continued.
  • 2022-09-03T12:51:00Z: A tweet informing about this was posted. As the lore was already being spread, this was considered a responsible course of action.
  • 2022-09-03T19:30:00Z: More investigation was performed, enbhelper.dll was confirmed as malicious as well, and it appears that a non-functional internet connection will ‘nullify’ the HTTP check at least. The plugin also seems to use/store a flag in some .ini file, as well as a x64\data\errorcodes\romanian.txt in the game directory being used as a trigger flag.
  • 2022-09-04T17:13:00Z: A newer build has been released (with file times of September 4, 2022, and a few days newer PE timestamp) which does not include the malicious code in QuantV.asi, though it still is included in enbhelper.dll. Regrettably, the author denies having been involved in this, instead going with FUD explanations, looking like a cover-up operation. Notably, however, both versions very much look built from the same source code, and the server checks using the same XOR string library are still in.

Factual information

  • Only QuantV.asi is affected. enbfeeder.asi and enbhelper.dll seem unimpacted. Only QuantV.asi has the HTTP code to fetch status, but enbhelper.dll will apply a pending ‘disk wipe’ as well. Both enbhelper.dll and QuantV.asi contain the full disk wipe/HTTP check logic. This wasn’t found initially as compiler settings were different.
  • It’s unlikely that this was added by a ‘leaker’ as some rumors say. The way this is integrated into the code shows that this was likely done by someone with access to either original or reverse-engineered source code for the .asi file, and the chain I’ve received the sample from corroborates this.
  • Antivirus software generally does not pick this up as they rely on a) known signatures or b) behavioral analysis. Since this is a plugin, preemptive behavioral analysis does not apply.
  • There is no sign of this version of the .asi executing any other commands than this rmdir chain.
  • Similarly, there’s no sign of other persistence methods, though there are some file read/writes, and it may be the case the .asi will edit some .ini files in the enbseries folder to ‘worm’ in case a pirated copy is spread further.
  • The ‘check’ is done using a HTTP API, the details of which have not been investigated at this time located at http://quantv.xyz/updater, presumable with a POST request of code=..., involving the Desaturate Radius= value in enbseries/enbeffect.fx.ini, which is actually a unique user ID.

    The library cpp-httplib is used, with httplib:: renamed to enb::. The main ‘trigger’ is this API returning (or not returning) true.
  • The command executed amounts to system(("rmdir /s /q " + drive_letter).c_str());. This will remove files that the user has access to read/write, which could be a lot.
  • There have been reports of this being used in the wild, and this existing in pirated copies of an ‘August release’ as well.
34 Likes