(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge

The developers at Denuvo have been in the news thanks to cracks against their notoriously tough digital rights management (DRM) tools, which are normally used to lock down video games from leaking online. On Sunday, the company faced a different kind of crack—not against a high-profile video game, however, but of its depository of private web-form messages. A significant number of these appear to come from game makers, with many requesting information about applying Denuvo's DRM to upcoming games.

The first proof of this leak appears to come from imageboard site 4chan, where an anonymous user posted a link to a log file hosted at the denuvo.com domain. This 11MB file (still online as of press time) apparently contains messages submitted via Denuvo's public contact form dating back to April 25, 2014. In fact, much of Denuvo's web database content appears to be entirely unsecured, with root directories for "fileadmin" and "logs" sitting in the open right now.

Combing the log file brings up countless spam messages, along with complaints, confused "why won't this game work" queries from apparent pirates, and even threats (an example: "for what you did to arkham knight I will find you and I will kill you and all of your loved ones, this I promise you CEO of this SHIT drm"). But since Denuvo's contact page does not contain a link to a private e-mail address—only a contact form and a phone number to the company's Austrian headquarters—the form appears to also have been used by many game developers and publishers.

Read 3 remaining paragraphs | Comments

 

pastebin.com is a wonderful website. Im scrapping all posted pasties (not only from pastebin.com) and pass them to a bunch of regular expressions. As I said in a previous diary[1], it is a good way to perform open source intelligence. Amongst many configuration files, pieces of code with hardcoded credentials, dumps of databases or passwords, sometimes it pays and you find more interesting data.

For a few days, Im finding many pasties that contain only Base64 data. The decoded data are malicious PE files. Some files were posted multiple times, others were unique. Some examples from my list:

  • hxxp://pastebin.com/cW0zR4St
  • hxxp://pastebin.com/QTEd5Eqe
  • hxxp://pastebin.com/Zfhtnk9X
  • hxxp://pastebin.com/nVRhzRxJ
  • hxxp://pastebin.com/8U5beggH

Most of the malicious files are known on VT (submitted a few hours ago), others are unknown. I also detected some obfuscated pasties:The Base64 code is reversed:

  • hxxp://pastebin.com/C7YYaUZB

Another technique is the hex-encode the Base64 data:

  • hxxp://pastebin.com/GeNX7DYP
  • hxxp://pastebin.com/15en56ZE

This technique has already been seen in the past[2]. Powershell or Javascript scripts download malicious content from pastebin.com. But, until now, I was not able to find any reference to the pasties above. Please share with us if you have more information!

In the meantime, it could be a good idea to keep an eye on your logs and search for HTTP requests to these URLs (or globally to pastebin.com if this service is not used in your environment).

[1] https://isc.sans.edu/forums/diary/Hunting+for+Juicy+Information/20555
[2] https://blog.malwarebytes.com/cybercrime/2016/10/get-your-rat-on-pastebin/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status