FiveM Cipher Infection: Signs, Damage & Removal Guide

This article talks about Cipher, known malware in FiveM Servers. Cipher is a malicious software, specifically a Remote Access Trojan (RAT). Malicious actors can create custom instructions for the RAT by writing a short lua script (typically just 4 lines). These scripts are often hidden (obfuscated) to make them difficult to understand. The main function of the script is to download additional malicious code from servers controlled by the malicious actors.

Servers compromised by Cipher can be exploited for various malicious purposes, including:

• Cryptocurrency Mining: Cipher can install software that secretly uses your server's processing power (CPU) to mine cryptocurrency for the attacker. This can significantly slow down your server's performance.

• Administrator Password Change: Attackers might use Cipher to change your administrator password, potentially locking you out of your own server.

• Direct Remote Control: Cipher can grant the attacker complete remote control over your server, allowing them to perform any actions they desire.

• FiveM Resouce Paid Asset Theft: Cipher could be used to steal valuable resource assets from your Cfx.re account and transfer them to another.

• Data Theft: Cipher can steal sensitive data from your server, such as login credentials or browsing history.

There are multiple ways to detect cipher on your server.

By checking active users on your server.

1. Click the Start menu and search for "Computer Management."

2. Once Computer Management opens, navigate to Local Users and Groups > Users. This will display a list of users on your server.

3. If you see a user account named "Moda", it's possible your machine has been compromised by Cipher.

By using Visual Studio Code's Search Feature

1. Open your server's resource folder in Visual Studio Code.

2. Click the search icon in Visual Studio Code. It typically looks like a magnifying glass icon.

   1. https://github.com/ericstolly/cipher/blob/main/chapters/chapter-1-payload.md

   2. https://github.com/ericstolly/cipher/blob/main/chapters/chapter-2-infection.md

   3. https://github.com/ProjecteEndCipher/Cipher-Panel/blob/main/Documentation/How-It-Works.md

3. For each search, Visual Studio Code will display any files within your server's resource folder that contain matching text.

4. If any files are found, proceed with caution and thoroughly analyze them before deleting.

By checking out open source programs

• CipherScanner - https://github.com/Szpachlan/CipherScanner

• FiveMCipherFinder - https://pypi.org/project/FiveMCipherFinder/

⚠️ It's recommended to rebuild or reinstall your server after removing all malicious injected code. ⚠️

More References:

• https://github.com/ProjecteEndCipher/Cipher-Panel

• https://github.com/ericstolly/cipher

• https://forum.cfx.re/t/virus-in-server-files/4843366

• https://forum.cfx.re/t/random-added-local-code-random-server-scripts-in-fxmanifest/4872285

• https://forum.cfx.re/t/a-weird-line-gets-added-to-some-resources/5142544