Recently, the case of streamer Do Mixi (Phung Thanh Do) having his YouTube channel hacked has attracted great attention from the technology community and domestic gamers. After 2 days of stopping streaming, on April 3, Mixigaming's YouTube channel was restored to its original state, and this streamer was “on air” the same evening.
In the latest stream, Do Mixi shared how the hacker contacted and tricked this streamer into running malicious code on his personal computer. We have collected sample files and conducted a preliminary analysis of how this malware bypasses anti-virus programs, as well as a list of malware that this streamer's PC has been infected with.
Before reading further, we encourage readers to refer to the article “Strong password, enable 2-layer security, why are “top” YouTubers like Do Mixi still being hacked?”. Although completed before Do Mixi confirmed the attack method, this article accurately predicted the scenario created by the hacker, including disguising an email inviting cooperation, sending malicious code as a compressed files, as well as ways to bypass anti-virus software.
The malicious code file sent to Do Mixi was disguised as a game called “Black Myth Wukong” (Currently this game has not yet been officially launched, so all download links are fake). This “game title” is shared via online storage services Google Drive and Dropbox.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 1. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 1.](https://diaocthoibao.com/wp-content/uploads/2024/04/Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Do Mixi shared an email “inviting cooperation” to trick this streamer into launching malicious code
First, let's go to the file sent by the hacker to Do Mixi. This file is called “Black Myth Wukong.rar”, which is a WinRAR compressed file with a capacity of 886.5MB. This file does not require a password to decompress.
“Black Myth Wukong.rar” includes 2 small files inside: “Black Myth Wukong Demo.rar” and “ReadMe.txt”. In particular, Black Myth Wukong Demo.rar has been encrypted (password set), and Readme.txt contains the password to decrypt. The password of the RAR file is also shared with Do Mixi via work email exchange.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 2. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 2.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215580_887_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Contents of the file Black Myth Wukong.rar
After unpacking, we will get a series of folders and files arranged like a real game installer. However, this is just a way for hackers to deceive users' eyes, because these folders and files are completely unrelated to any game or even malicious code. They only have a true “scenery” effect.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 3. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 3.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215580_790_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
File “Black Myth Wukong 64-bit.exe” with capacity of 692.1MB
Instead, all attention is paid to the file “Black Myth Wukong 64-bit.exe”. This is an .exe file, with a capacity of 692.1MB and hash md5 05eb129bc331d556a3330bdb262cb132.
As analyzed in the previous article, the fact that this .exe file has such a large capacity is a way for malicious code to surpass anti-virus software.. “The reason for doing this is because by default settings, some anti-virus software will not scan files that are too large to avoid affecting PC performance. Some online virus scanning services such as VirusTotal also only allows uploading files with a maximum size of 650MB, so 700-750MB can be considered the “ideal number” for these types of attacks.quoted from the article.
The way hackers increase file size was also mentioned in the previous article. Besides a very small portion of malicious code, the hacker inserted a series of redundant code at the end of the exe file.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 4. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 4.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215581_661_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 5. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 5.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215581_689_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Besides the malicious code, hackers inserted a series of empty codes to increase the file size
We have edited the original .exe file, removing redundant code. After “slimming”, Black Myth Wukong 64-bit.exe has reduced capacity from 692.1MB to 6.9MB.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 6. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 6.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215581_205_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
After editing, the exe file size is reduced from 692.1 MB to only 6.9MB
At this point, we can easily upload this file to the VirusTotal tool for authentication. Of the 72 virus scanning software on VirusTotal, there are 29 software identified as malicious code. Unfortunately, Bkav antivirus software, advertised as integrating a series of advanced AI technologies, cannot identify this malicious code. See VirusTotal's report with the file sample we edited here.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 7. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 7.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215581_971_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
The edited file “Black Myth Wukong 64-bit.exe” was uploaded to VirusTotal and recognized by 29/72 anti-virus programs.
However, the story doesn't stop there. Continuing to use the VirusTotal Graph tool, we will have a more detailed look at how this malware works.
VirusTotal Graph can be considered a form of “mind map” but for malicious code. When a user uploads a file to this tool, VirusTotal will analyze what that file will do on the computer system, such as what small files it creates, where it connects to the server… On VirusTotal Graph , objects with a red circle around them are considered malicious.
And, analysis shows a not very positive outcome for streamer Do Mixi.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 8. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 8.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_349_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Analyze malicious code through the VirusTotal Graph tool
First about the Internet connection, when launched, this malicious code will create connections to a number of servers in the US. Among them, there are a number of servers that are on the blacklist of network security services. Of course, what Do Mixi data is sent to those servers will require more in-depth analysis time.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 9. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 9.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_61_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 10. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 10.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_156_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 11. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 11.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_66_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Malicious code connects to a series of dangerous IP addresses
What we want to emphasize more is about the files that were produced during the activation of this malicious code. As mentioned above, the display method of VirusTotal Graph is Objects with a red circle around them are considered malicious. And If you look at the image below, you can see that there is no malicious code at all.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 12. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 12.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_325_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
Files are created while the malware is launched
Because in fact, all the files inside are “standard” and authenticated .dll libraries. However, we have noticed the appearance of bz2, a Python library with the task of decompressing files (similar to WinRAR on Windows).
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 13. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 13.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_788_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
bz2 library with decompression task
And along with that, is a zip file named “base_library.zip” with a capacity of 1.27MB.
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 14. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 14.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_568_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
The zip file is named “base_library.zip” with a capacity of 1.27MB
Extract the zip file, and this is what we get. Unbelievable!
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 15. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 15.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215582_168_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
A series of malicious codes are “hidden” inside this zip file
![This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 16. This RAR file attacked streamer Do Mixi: Not only 1, Do Mixi was infected with at least 20 different types of malware - Photo 16.](https://diaocthoibao.com/wp-content/uploads/2024/04/1712215583_915_Not-just-1-Do-Mixi-was-infected-with-at-least.png)
One of the countless malicious codes that attacked Do Mixi's PC
Thus, if only “roughly” counted by hand, Do Mixi was infected with at least 20 different types of malware. The following is a list of files and types of malicious code recognized by different antivirus software:
cstealer.exe: Trojan:Win64/CrealStealer.AMJ!MTB (Microsoft)
foodmethods.exe: UDS:Trojan-PSW.Multi.Stealer (Kaspersky)
gen.exe: W64.AIDetectMalware (Bkav)
payload.exe: UDS:Trojan.Win32.Generic (Kaspersky)
Free-Robux-fur-drinosch.exe: Trojan:Win32/Sabsik.FL.B!ml (Microsoft)
TwitchShop Ad Bot 1.0.6.exe: Backdoor.PHP.yj (Jiangmin)
base.exe: TrojanDownloader.Pyfatget.e (Jiangmin)
fn.exe: HEUR:Trojan-Banker.Win32.Clipbanker.b (Kaspersky)
creal.exe: Trojan:Win32/Phonzy.A!ml (Microsoft)
zobato2.scr: HEUR:Trojan-PSW.Python.Luna.gen (Kaspersky)
mitmweb.exe: Malware.AI.273182600 (Malwarebytes)
main.exe: Program:Win32/Wacapew.C!ml (Microsoft)
NitroDumpz-Updater.exe: Trojan:Win32/Wacatac.B!ml (Microsoft)
test rml.exe: W32.Common.4F5989E5 (Bkav)
Raft-Hard-Survie.exe: Win32.Trojan-Stealer.LunaGrabber.EYQP0B (GDATA)
text.exe: Python:KeyLogger-BO [Trj] (AVG)
PyInstaller.exe: Malware.AI.1280676777 (Malwarebytes)
try.exe: Trojan:Win64/CrealStealer.AMJ!MTB (Microsoft)
00040f10415f1c993c0d9cf46ca5e2f013cd9e9b4e935f7fffd6dc1d98333cc3.file: Trojan:Win32/Phonzy.B!ml (Microsoft)
defender.exe: Trojan-Ransom.Win32.Blocker.zmab (Kaspersky)
At this point, although it is possible to “extract” each file for deeper analysis, it can be said that the amount of malicious code is too large for the scope of the article. And, perhaps this is enough to confirm that streamer Do Mixi is really in big trouble. Because each malicious code is programmed with a different purpose, it is difficult to fully list what hackers have exploited from this streamer's computer.
After having their YouTube channel hacked, Do Mixi worked with Google representatives to get the channel back. This is not surprising, because Do Mixi is not the first case of a major YouTuber whose channel was hacked to livestream virtual currency. Google is familiar with these situations and has prepared backup plans to restore channels and accounts.
However, also during yesterday's stream, Do Mixi personally confirmed that his surveillance camera system had also been hacked. Then, right on the stream, Do Mixi lost control of his Steam account with games and inventory estimated to be worth billions of dong. Will Do Mixi receive “dedicated” support like YouTube in these situations?
As of the time of writing, Do Mixi's Steam account has not been restored. And with such a large amount of malicious code, it is likely that more of this streamer's data will be exploited in the future.
Link nguồn: https://cafef.vn/file-rar-nay-da-tan-cong-streamer-do-mixi-khong-chi-1-do-mixi-da-nhiem-it-nhat-20-loai-ma-doc-khac-nhau-188240404135244469.chn