It's happened, I was hacked

CrazyGreggy · 20 Jun 2023 at 10:54

Ouch. That’s a day in the sunshine gone

CrazyGreggy · 20 Jun 2023 at 10:56

My other half had her Facebook account compromised last week via a link in a message that grabbed the authentication token from her phone. Scared the **** out of her but maybe, just maybe, I’ll be able to get her to RTFM and other precautions in the future.

Tykey · 20 Jun 2023 at 11:01

if you're downloading torrents of cracked games/software then you're asking to be hacked, it doesn't happen everytime but it's the only time i've came across viruses/malware etc.

Frenzy · 20 Jun 2023 at 11:12

I didn't have any cracked games or software on this pc which is why I was so confused as to how I was infected. I'm not networked to other pcs either.

This malware installs itself to the registry and runs from it too which makes it very difficult to remove. It's being actively developed which is prob why no av could catch it. Apparently it primarily targets crypto, I guess when they found no crypto they went after other stuff.

I've been refunded by paypal now and added an authenticator to my phone too.

Dup · 20 Jun 2023 at 13:47

I use NetLimiter and by default I force it to block then ask for permission to allow any ingoing or outgoing connections.

this was on the back of my machine contastnly getting pinged by suspicious incoming ip addresses from mostly China & Russia under the guise of some sort of research program when you visited them. Seemed very dodgy so at least I could block them. After a re-format they went away despite your usual scanners picking up nothing. I could not have known about it for a long time though.

Guest2 · 20 Jun 2023 at 17:49

Offline clone of my OS drive and important data (photos of holidays, family, nights out and travelling) backed up on an external drive. Doesnt matter if my OS is hacked

hyperseven · 20 Jun 2023 at 20:06

tyke_ said:
if you're downloading torrents of cracked games/software then you're asking to be hacked, it doesn't happen everytime but it's the only time i've came across viruses/malware etc.

that is why you should stick to private trackers

varkanoid · 20 Jun 2023 at 22:52

Thats why I dont like Whatsapp it can be misused and its not safe. They go on about it cant be hacked the encryption is end to end we are going to pull out of the UK if the Wotsit Security bill is passed. You think you are safe then something like this happens. You could say its not Whatapps its the PC being compromised but Whatsapp was the method used to authorise the transaction.

AStaley · 20 Jun 2023 at 23:13

Frenzy said:
I used all the antivirus yesterday and I could still see the powershell script loading in event viewer so I had to bite the bullet and format with a fresh install...

With a Trojan I feel this is the best course of action, unfortunately you will never be certain that Malwarebytes or another anti malware has got everything and you won’t get reinfected. It will only take that one zero day or start-up link and you start the whole process again.

If you use any removable media and especially if you’ve used it since being infected make sure to check it for any signs of infection from a known clean device.

Good you were refunded and lesson learned

FoxEye · 20 Jun 2023 at 23:38

Frenzy said:
I didn't have any cracked games or software on this pc which is why I was so confused as to how I was infected. I'm not networked to other pcs either.

This malware installs itself to the registry and runs from it too which makes it very difficult to remove. It's being actively developed which is prob why no av could catch it. Apparently it primarily targets crypto, I guess when they found no crypto they went after other stuff.

I've been refunded by paypal now and added an authenticator to my phone too.

Sorry, what? "Installs to the registry and runs from the registry?" What do you mean by this?

Rroff · 21 Jun 2023 at 01:02

varkanoid said:
Thats why I dont like Whatsapp it can be misused and its not safe. They go on about it cant be hacked the encryption is end to end we are going to pull out of the UK if the Wotsit Security bill is passed. You think you are safe then something like this happens. You could say its not Whatapps its the PC being compromised but Whatsapp was the method used to authorise the transaction.

WhatsApp really isn't the problem here, I can't say for certain what has happened but this malware doesn't just install itself on your PC, possible it has been deployed bundled with other malware but usually that'll be a dropper spread by something using worming behaviour on a network which Frenzy said isn't the situation here.

FoxEye said:
Sorry, what? "Installs to the registry and runs from the registry?" What do you mean by this?

It doesn't install itself to the registry in the way they seem to be implying but some of these script heavy malware place startup registry entries which can reinfect the machine using packed PowerShell commands.