Discord Nitro Malware Gang

so today and now my laptop got infected
all my icons are among us
every time i restart my laptop i get autorun worm
ok so i decided to run a virus total scan on any icon i have and this happend

edit:
the user info
the guy names Ytzmo runs a discord server which he provide free discord nitro
and yes from a while the rat has been running
the dump is using NJRAT
The FIle IS fully undected
once you click it you will see this on your startup


check the results here

the youtube channel that he promotes his rats (bannned):https://www.youtube.com/c/Ytzmo/

with 2k subs

idk but i went to any.run then i put the file in their
then i got these info

i got their ddns that they are using
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

also their ip
50.23.197.95
69.42.215.252
when i realized its isp is SoftLayer
then i went to google and made some research and found this article: When it comes to spam, IBM's SoftLayer is the host with the most | InfoWorld

idk what to do
iam installing eset antivirus
i get a auto run worm when ever i restart my laptop

idk if i got lateral movement on my network
any suggestions?

abuse report has been sended to their ddns provider

1 Like

ip db abuse 50.23.197.95 | SoftLayer Technologies Inc. | AbuseIPDB
69.42.215.252 | Awknet Communications LLC | AbuseIPDB

edit:

Download Malwarebytes and run a scan with it

1 Like

I’d recommend just resetting fully, most of your files are probably binded with malware.

The malware itself is GitHub - MalwareStudio/Mbr-Builder: Build your custom mbr locker I am pretty sure, so as not much information on the GitHub page my friend says it runs NJRat, however the version you have could be another variant as this Mbr-Builder modifies the Mbr to display a custom message.

1 Like

1 Like

just an fyi, the zip in that repo is also malware, a non malware version can be seen at GitHub - pankoza-pl/Mbr-Builder: Build your custom mbr locker

2 Likes

This is will be bad move if he start ransomware first before he transfer all files. because he cannot access him pc after destroy it, also njRAT were leaked source code so if he found a way decompiler the stub (stub.exe) for look an full information such a DDNS, IP Addresses, he can do escape if found all files which were infected (copiried) from Synaptics.exe. How we know the Synaptics isn’t the big problem it only replace already exist executables with fake virus and autorun. ← just an option from the RAT. Another problem is the obfuscation but may will be easy because the source code already is published and you can deobfuscate the details.

**Also using a free shit tools like discord nitro is malicious. **

1 Like

this is how it works
the file will run as a nitro cmd generator
normally
then auto download and auto run from these websites the backdoors

Synaptics.exe is the main backdoor that is made in njrat

How didn’t eset detect it. bruh.

no you didint understand
i was using windows defender
now after the virus i installed eset

Eset is the best.

You can use Hitman Pro is well it removes most of it!