FiveM RAT Analysis

Analyzing the FiveM RAT: A Comprehensive Overview

Introduction

A few months ago, I published a repository detailing the analysis of a Remote Access Trojan (RAT) discovered in multiple FiveM server resources so I decided to make a blog post about that.

Warning: The code discussed in this post is malicious and should not be used under any circumstances. This analysis is provided strictly for educational purposes.

RAT Features

Remote Code Execution (RCE)

The RAT operates through multiple stages:

1. Stage 1: Downloads the second stage from a remote server.
2. Stage 2: Continues by fetching the third stage from the server.
3. Stage 3: Retrieves the fourth stage, maintaining the infection process.
4. Stage 4: Establishes a persistent connection with the remote server, awaiting further commands.

Between Script Communication (BSC)

The RAT also registers handlers for events triggered by other RAT instances, allowing it to bypass detection by communicating between scripts.

Additional Findings

During a deeper investigation into an infected VPS, I discovered that the hosts file had been modified to block access to many common antivirus websites. This was likely done to prevent the server from being scanned and detected by antivirus software.

Prevention Strategies

To protect your server from such threats, consider the following measures:

• Avoid Downloading Leaked Resources: Only use trusted sources for server resources.
• Keep Your Server Updated: Regular updates can patch vulnerabilities that may be exploited by attackers.
• Implement a Firewall: A firewall can block unauthorized access to your server.
• Use a Web Application Firewall (WAF): WAFs provide an additional layer of protection for web applications.
• Install Reliable Antivirus Software: Ensure your server is equipped with strong antivirus protection.
• Monitor for Suspicious Activity: Regularly check your server for any unusual behavior.
• Review Your Resources: Periodically inspect the code in your resources for any suspicious modifications.

Mitigation Measures

After identifying the RAT, I implemented several mitigation steps:

1. IP Blocking: I added the IP address of the malicious server to the firewall blacklist, cutting off communication with the RAT's host.
2. Domain Blocking: The RAT's domain was blocked in the hosts file, preventing it from communicating with the remote server even if the IP address was changed.
3. Code Removal: The malicious code was deleted from the affected resources, and the server was restarted to halt further execution.

Recent Developments

• March 28, 2024: The first instance of this RAT was discovered.
• March 29, 2024: A second instance was found, using a different domain for its backdoor: thedreamoffivem[.]com

By staying vigilant and employing strong security practices, you can help protect your FiveM server from similar threats.