What it’s all about
aboutseven, a newly registered member on the GTA forums, was the first one to notice that all was not well with the processes running on his computer. “I came across something pretty startling today after reviewing my processes that were running on my computer. I tend to do this a lot out of paranoia, just checking that I don’t have stuff running in the background that I don’t want running, or if I ever possibly run into something that is out of the ordinary that could possibly be malware. I happened to notice that the Windows C# compiler running the background as csc.exe”, he wrote in his post.
After looking into it some more he dredged up a file called Fade.exe, which hijacked a part of the registry in order to being launched at boot. Some more testing revealed that a GTA mod named Angry Planes was to be held responsible for the malware landing on his system. Since the discovery, other players are claiming they’re finding similar harmful files on other mods as well, such as No Clip.
What it does
So, why exactly is Fade.exe such a problem? To answer the question, let’s just take a look at the modules that are loaded with the mod, according to another forum user named ckck:
- “Facebook spam/credential stealing module
- Twitch spam/credential stealing module
- com spam/credential stealing module
- A Steam spamming module
- A Steam module that evaluates the items in your inventory and their value based on current market value
- A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
- A UDP flooding module
- I hadn’t deciphered and didn’t see in action.”
What you can do
In case you have one of the mods installed, make sure to scan your computer with your AV and remove the malicious files. Keeping in mind that Fade.exe also sniffs around your Facebook, Steam, and Twitch accounts, make sure to change all your passwords as well.
The post Some GTA V Mods Serve You Malware appeared first on Avira Blog.