Question / Help Be advised - Malicious plugin going around, need information. HLS transcoder.

M

magnuspuig

New Member
I might be miss informed and this is completly legit plugin or someone has changed the zip file, but I rather be safe then sorry and help out fellow streamers

My friend got hijacked 3 days ago by a scammer on twitch.


The scammer recommends a OBS plugging called **HLS transcoder**.

  • This is probably a scam and a keylogger of some sort, because he got hijacked on his steam account and email soon after and all his skins got traded away.
  • The file is zip, with 2 .exe files inside.

There are diffrent types of youtube videos about this "pluging" done by people with nearly identical names, and most of the positive comments on those videos are with new accounts dating to the exact same day. (*someone in the comment section even said it was a scammer trying to hijack accounts*)

(Unfortunately I have no direct proof as the antivirus didnt detect anything.)


A series of more questions answered:
Twitch subreddit

How long after the hijack did the issue occur?:
  1. I started the exe file and it asked me to extract some files.
  2. As soon as it did Steam closed down and restarted in login screen the screen was black at first for 30 sec.
  3. After a while it it turned normal and I was unable to login
  4. I checked my email and the email reported a intrusion from a different computer.
  5. In the email there was a mail from steam for a security code I didnt ask for.
  6. I tried to login to steam again and checked forgot password but the email had already been changed.
Everything took about 5 min.

Did the user download anything else prior to the hijak in the last week?

  1. I havent downloaded anything prior to this.
Has the user had issue with viruses on his PC in the past or recently?

  1. No, I keep checking viruses regularly.


If anyone has more information please share.
 
H4ndy

H4ndy

Forum Moderator
OBS plugins are always .DLL files and no direct executables.

Beside that, the claims are not valid since transcoding is down on twitch-side and there is nothing you can do as a user (beside getting partnered), so it's very likely scam. The password on the zip is also there to keep anti-virus software out of the zip.

The "HLS"-Settings on the Twitch page are also not there and most likely injected by the software or just faked.
 
M

magnuspuig

New Member
I will repost you answeron the post I did on reddit Twitch so people can be informed. Would be great if you would like to inform people there instead. Thanks for the information!
 
D

dping

Active Member
magnuspuig said:
I will repost you answeron the post I did on reddit Twitch so people can be informed. Would be great if you would like to inform people there instead. Thanks for the information!
Click to expand...
FYI @dodgepong. What H4ndy said.Seems like there isn't much that we can do here besides maybe make a sticky about this in the plugins, OBS, and OBS MP areas. I'll leave that up to dodge, jim or R1CH though.
 
FerretBomb

FerretBomb

Active Member
Yep, this is a complete scam. 100% malware. I grabbed a copy of the files from one of the YT videos and opened it in a hard sandbox, it promptly went about infecting the sandbox badly, and tried sending quite a bit of data out from the browser too. Didn't trip the in-box Avast either, so either it's using a garbage mask, generating on the fly when downloaded, or is just a new piece that hasn't been registered yet.

Looks like a pain in the ass to clean out, too.
 
dodgepong

dodgepong

Administrator
Community Helper
Yeah we had to remove a thread about it yesterday. Just tweeted about it from the OBS Twitter.

Unfortunately there's not a lot we can do beyond trying to get the word out. It's not even a real OBS plugin, just calling itself one, so it's not like it's exploiting a security hole in OBS or anything.
 
M

magnuspuig

New Member
Thank you dodgepong for the information. I´ve had some people on reddit digging into the files and it seems there is a keylogger, and a botnet rootkit.
https://www.reddit.com/r/Twitch/comments/3oqbgx/be_advised_believed_keyloggerscam_going_around/

Here are some interesting facts about the config.json file:

  • Inside the file's directory tree you will coma across a Google API located in "config.json\com\google"
  • The main issues lie in "config.json\com\klintos\apocalypsebot"
Here are some pieces of public code that concerned me instantaneously:
Code: 
<snip>
org/spacehq/mc/protocol/MinecraftProtocol // Why use Minecraft stuff?
<snip>
host port I
getUsername ()Ljava/lang/String;
getPassword
getSession !()Lorg/spacehq/packetlib/Session; // Why would a transcoder need a username and password? O.o

Digging some deeper I found that it is not only a keylogger, it also includes a botnet rootkit. Here are some hints, will make a proper report if requested. :) Image
Click to expand...

It would be great if some admin or other person (not a new member like me) give out a information post on the plugin section or what not.

I wasnt infected by this but I feel its good to spread do word.
 
M

magnuspuig

New Member
dodgepong said:
Yeah we had to remove a thread about it yesterday. Just tweeted about it from the OBS Twitter.

Unfortunately there's not a lot we can do beyond trying to get the word out. It's not even a real OBS plugin, just calling itself one, so it's not like it's exploiting a security hole in OBS or anything.
Click to expand...


I am in need of an administrator. I need to get in touch with someone in privet.
If you´ve got time I would appreciate it. Thanks!
 
You must log in or register to reply here.
Top