User blog:4thDimensionTraveler/Fake ForceOP Hacks Owned V2

'''Note: If you have downloaded this fake ForceOP program and ran it, be warned that you have just installed a keylogger that automatically starts along with your computer. Visit the "Reversing the Damage" tab for what to do.'''

Five years ago, I made a post about a fake force OP hack that was circulating on the internet. That hack has been taken down, but yesterday I found a force OP hack video that had a quarter of a million views and a high like/dislike ratio. It is the first result to come up when you type in "ForceOP" in Google and the comments section is full of praise (although the newest comments are asking whether or not the program works).

The video links are below:

https://www.youtube.com/watch?v=bNgnPFptyQY

https://www.youtube.com/watch?v=k23yTtIrBX0 The download link previously featured an exe file, but now it has been remade to a JAR. The file seems to have been created on June 2020.

I downloaded the file, which contained a JAR file and a bat file to run the JAR. I quickly renamed the JAR to a ZIP to prevent myself from accidently running the file and decompiled it using Bytecode Viewer.

Video Analysis
The video itself looks very convincing at first glance. The vast majority of ForceOP videos are performed on small servers because there wouldn't be a way to trick people that you've made a ForceOP otherwise. However, the two videos above showcase Hypixel and Mineplex getting hacked. Despite this, you see almost no reaction from the players at all, no stares or any messages in the chat, despite the fact that the lobby is blatantly getting destroyed. Why is that? Because the ForceOP is fake.

A First Glance
At first glance, the JAR file doesn't seem to be too suspicious. There doesn't seem to be any secret code hidden inside, just a few class files and a library. But of course, the devil is in the details.

The GUI (looking at the YouTube video and the code) is supposed to have 3 buttons, "Find Player", "Connect", and "Bruteforce OP". "Find Player" grabs the skin from Mojang, and "Connect" uses a socket to connect to the server, giving the user a sense of legitimacy.

Of course, it all goes downhill from there. MainForm$4.class holds the code for what the program should do when the "Bruteforce OP". There are two lines that are run:

Let's go inside those methods, shall we?

Getting Suspicious
The progress bar class already proves the program to be fake. It has a 100% chance of returning a success message, and a randomizer is used to determine progress. It is obvious that the program has no intention of giving the ForceOP that it promised.

The second method is where the malicious stuff is. The method does not care about the username or the server address that you just entered, but instead appears to execute another JAR file embedded inside this one. The strings appear to be hidden, but we can easily paste the code into some Java compiler online to reveal the strings. After decrypting all the strings, we can see that "update.class" (obtained from getClassName) is actually a JAR file (hence why Bytecode Viewer was unable to load it). That file is extracted to APPDATA\Local\Google (obtained from getDropPath), and is executed as a standalone file.

A Secret JAR File
While writing this I discovered that someone had used any.run to execute the file. The link can be found here: https://any.run/report/3a570969f5cfdfe03b789718e03bcc6f12da7c7a8efa9b59f47d680115799695/02119695-1b3f-4997-ba62-3c8b229aed4b

In addition, my run can be found here: https://any.run/report/cc68a5af407027088a11d164613fa059da9207451e0b8f06133ecbcf9a9b429d/6547f8ec-c916-496d-8acf-94e3c4b2ae77

Now we are finally ready to find out what the program actually does. A quick glance inside the JAR reveals that the variable names have been scrambled. The objective of doing this is to try to make it more difficult to reverse engineer the JAR.

If you look at the picture (inside the secret JAR), you will see four methods that are called at the beginning. The first method calls "cmd attrib" in order to mark the update.class file as hidden. The next 3 methods refer to a class file with an unusual amount of debug code. This usually means that it is a library available on the internet. A quick Google search of the strings reveals that it is actually a Registry library, meaning that the program is messing with the Windows Registry.

https://github.com/java-native-access/jna/blob/master/contrib/platform/src/com/sun/jna/platform/win32/Advapi32Util.java By using the any.run report and the JNA library above, we can now determine the purpose of the last 3 methods.


 * The second method overwrites the Startup key in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders".
 * The third method creates a registry key in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" that causes Windows to automatically run the secret JAR when Windows starts.
 * The last method registers a key in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run". This holds whether or not the entry in the third method is enabled, so the program would need to enable this to force the startup entry above to run.

At this point, the user is infected with malware that automatically runs when the computer starts. If you have ever ran the program, you should check if the Registry keys exist in your computer.

Keylogging
After injecting autorun entries into the user's computer, the program connects to connect(dot)steam-powered(dot)tk. The website disguises itself as down, as websites like IsItDownRightNow or Snapito are unable to connect to it. The program sends a request to the website looking for a redirect link. If one is not found, the program will try to connect to akamaihd(dot)esy(dot)es in the future. In the any.run tests, the program sticks to the tk link. Note that the tk link is https, while the es link is http, so tools like any.run would not be able to decode the traffic.

Note that this program makes use of the Java Native Access. This is a library that is used for keylogging.

There are three more methods below the update checker. Here is what they do:
 * The first one sets LowLevelHooksTimeout to 15000 ("HKEY_CURRENT_USER\Control Panel\Desktop"). It also appears to set up a keylogger. If you look at the code, it references to SetWindowsHookEx, which in this context logs the keyboard and mouse. Some of the data is appended to a StringBuilder in the main class.
 * The second one appears to log the current window the user is browsing (GetWindowTextW). Every time the user switches to a new window, a new entry is logged.
 * The last one handles the sending of data. Every 20 seconds, keystroke/browser data is sent to the server if the data is long enough. The URL link is the tk link plus "post-3.0.php?MAC=&msg=log", and the data is sent in the request property.

All Your Data is At Risk
As if recording keystrokes is not enough, the keylogger also hands over some more personal information to the website. Let's now go over what the last half of the main function does, starting with the try catch block on the top.

The string in the try catch block decrypts to "info". The goal is to send the operating system and the username of the computer. The URL ends with "post-3.0.php?MAC=&msg=info".

The next method tries to send various information to the website.

The first thing the method does is steal logins from Firefox and Chrome. The program navigates to "Appdata\Roaming\Mozilla\Firefox\Profiles" and then, for every profile, it grabs the login.json, which contains the encrypted login usernames and passwords. It then loads nss3.dll (a Firefox library) to decrypt the login information. Something similar is done with Chrome, where the program navigates to "AppData\Local\Google\Chrome\User Data" and decrypts the login data using an AES key. All the results are sent to the same URL as before, except that msg at the end is set to "pw".

Another thing the method does is steal your credit cards from Chrome. The name, number, and expiry date are grabbed, and the msg in the URL is named "cc".

Next comes the cookies. The host, name, value, path, and profile are taken from both the Chrome and Firefox browsers. msg is set to "cookie".

Lastly, the method takes interest in the user's fonts. The method getAvailableFontFamilyNames is called, and the result is sent with msg set to "fonts".

Now we are up to the second try catch block. That method utilizes another native method (WlanGetAvailableNetworkList) to grab information on the available wireless networks, getting information like IDs or signal strength. The program captures this information 10 times, with 10 seconds of delay between each attempt. At the end of the attempts, the capture that contains the most WIFI networks is sent over (msg=loc).

Continuing the Execution
There are only two methods left, the thread and another method call. The thread couldn't be decompiled, but looking at the bytecode, it appears to be a socket connection to s-_p-_r-_a-_g(dot)steam-powered(dot)tk (port 28081). There seems to be some sort of protocol for connecting and receiving commands from the server, but I wasn't able to find any more information on that. Below I attached the only instance the website appeared.

https://any.run/report/cc68a5af407027088a11d164613fa059da9207451e0b8f06133ecbcf9a9b429d/3d1da4ee-9609-4ec9-a3eb-df69cdb49f00

(I looked into this run, and matches a (now deleted) Reddit post that seems to have come from someone that tried to test this malware. I managed to partially recover the contents of this post, but I may have missed something between lines 15 and 18) The thread also registers a reoccurring task of sending keylogging data to the server.

Now, there is one more method left in the main function. That method checks a timer, and if 900 seconds have passed and no keystrokes have been recorded, the tk website plus "/ua-3.0.php?id=", where the ID is the hardware address converted using BigInteger. You can see an instance of this happening below. I'm not sure why the website popped up so early though.

https://any.run/report/c7f656970f48f82a4b4726a93b85f047190c6be8e05d3a08582ef93d098c1987/aabb1ce6-c39c-42de-9e8b-171459063f99

(Also, the connect tk link redirects to akamaihd, which is why the domain starts with that)

A Look Back
The program analyzed above was quite complex, and there may have been stuff ran that I didn't catch. There seems to be a lot of unused methods, most of which are copies of code that is ran (for example, the thread that does the socket connection also appears in another unused method). Some screenshotting code also appears (https://www.hybrid-analysis.com/sample/b38cec9e5a7393557ab55bf3bef05559d181248ef18e2c8999ee8800d1ee444b/5d3a3c67038838a62f3fff33), but it isn't used. Either way, this is a very sophisticated piece of malware, and it was designed to be hard to detect.

Reversing the Damage
If you have tried to run this ForceOP tool, you are now screwed. You should change all your passwords immediately, as you do not know what has been stolen. You should also change any credit card numbers that you may have typed in whilst infected.

You should also navigate via Regedit to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run". Try to find a key that begins with "Java(TM) Platform". If you see it, that means that you have been infected. Immediately delete the key, and then navigate to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" and delete another key that matches the key you just deleted. Go to the directory that the keylogger is stored in (by default at Appdata\Local\Google), and enable hidden folders and system operating files. Delete update.class to fully remove the keylogger.

Now, learn to never trust everything you see online. If it sounds too good to be true, it probably is.