"Dodgy" FabFilter Mac installer from team GMATIC left "CoreAudio.app" on system

Discussion in 'Mac / Hackintosh' started by Vaultnaemsae, Feb 28, 2025 at 6:01 PM.

  1. Vaultnaemsae

    Vaultnaemsae Newbie

    Joined:
    Jun 28, 2017
    Messages:
    6
    Likes Received:
    0
    I was running on not much steam after a very long day and installed plugins using a re-uploaded FabFilter installer from team GMATIC It installed an unusual "CoreAudio.app" application on the system. I removed it using an app removal utility for macOS.

    The original link has since been removed from the site -- within hours.

    The release team was unfamiliar, but I didn't notice until the installer had completed.

    What kind of nastiness have I potentially exposed myself to?
     
  2.  
  3. ArticStorm

    ArticStorm Moderator Staff Member

    Joined:
    Jun 7, 2011
    Messages:
    8,041
    Likes Received:
    4,157
    Location:
    AudioSexPro
    inst coreaudio the audio engine on macOS?
     
  4. Vaultnaemsae

    Vaultnaemsae Newbie

    Joined:
    Jun 28, 2017
    Messages:
    6
    Likes Received:
    0
    No, not the audio engine. As I posted originally, it installed an iconless application called "CoreAudio.app" to my applications folder.
     
    • Interesting Interesting x 1
    • List
  5. sisyphus

    sisyphus Audiosexual

    Joined:
    Apr 29, 2014
    Messages:
    1,597
    Likes Received:
    680
    Yeah, I'm a little confused as to this myself... There is a core audio driver and whatnot... but I'm not sure what this CoreAudio.app is... or what happened... apparently there was some release deleted or removed by the moderation staff? I missed it, would love to hear more.. :)
     
  6. sisyphus

    sisyphus Audiosexual

    Joined:
    Apr 29, 2014
    Messages:
    1,597
    Likes Received:
    680
    Ah ok, I haven't seen that..., WHO released it? I would love to peak at that package if there is something sketch going on....
     
  7. Vaultnaemsae

    Vaultnaemsae Newbie

    Joined:
    Jun 28, 2017
    Messages:
    6
    Likes Received:
    0
    I archived the following .rar after the installation: "FabFilter Total Bundle 2025 MacOS U2B GMATIC"

    I do not recall seeing a GMATIC release on the site before.
     
  8. sisyphus

    sisyphus Audiosexual

    Joined:
    Apr 29, 2014
    Messages:
    1,597
    Likes Received:
    680
    Yeah, I'm not familiar with that either, and I wouldn't touch it.

    Absolutely vet the releases and teams a little before putting things on your system as you probably have already learned.. ! :)
     
  9. loveriuz

    loveriuz Producer

    Joined:
    Jan 1, 2022
    Messages:
    218
    Likes Received:
    97
    Location:
    East of Jupiter
    TCGMATIC i think their name was

    The last 2 "new" fake "teams", Oneclick and C0ndom uploaded bitcoin miners and some malware, rehashing some old V.R license as their own. Banned ASAP. As this new team...


    so conclusion:
    don't download from a "team" with 1 upload or zero comments and that was registered 1 month ago before first release, if you care about your stuff.
    Stay with the teams that are known. Or...do what you want.:dunno:
    Why it's even possible or allowed to be uploader like that before getting vetted...who knows.
     
  10. Vaultnaemsae

    Vaultnaemsae Newbie

    Joined:
    Jun 28, 2017
    Messages:
    6
    Likes Received:
    0
    Already touched! Waiting for something terrible to happen now...
     
  11. Vaultnaemsae

    Vaultnaemsae Newbie

    Joined:
    Jun 28, 2017
    Messages:
    6
    Likes Received:
    0
    Thanks for the reply but I wasn't seeking advice on how to approach the site, though it is a good reminder to all. I obviously made an error of judgment and it certainly wasn't intentional.

    What I was wondering was is if anybody had any further information on what threats I may have been exposed to and what the "CoreAudio.app" actually is...I doubt it's a good thing. And since it was removed, somebody knows something about it.
     
  12. HoMeCracKeR

    HoMeCracKeR Noisemaker

    Joined:
    Jun 6, 2013
    Messages:
    1
    Likes Received:
    4
    I took a quick look at the CoreAudio app from GMATIC that is included in our stolen release and it looks like it is a keylogger / monitoring app so I recommend anyone who has it installed to remove it immediately.

    For anyone who wants to investigate a little more closely, PM me.
     
    • Like Like x 4
    • Love it! Love it! x 1
    • List
  13. shinyzen

    shinyzen Audiosexual

    Joined:
    Sep 28, 2023
    Messages:
    886
    Likes Received:
    568
    wow! wtf. this, paired with dox-gate that happened earlier in the week is highly susupect. Is somebody attacking the community? Thanks HCiSO for the warning!
     
    Last edited: Feb 28, 2025 at 10:25 PM
  14. omiac

    omiac Moderator Staff Member

    Joined:
    May 3, 2024
    Messages:
    227
    Likes Received:
    226
    For obvious reasons I wont go into, this isn't the place to publicly distribute warez / malware, so for you guys offering any related content, whatever it may be, please only do so via PM and only with longtime trusted members of the scene and this community. TY!
     
    • Like Like x 2
    • Agree Agree x 1
    • List
  15. shinyzen

    shinyzen Audiosexual

    Joined:
    Sep 28, 2023
    Messages:
    886
    Likes Received:
    568
    my bad! i edited my comment to have less detail
     
  16. bigpapa23

    bigpapa23 Newbie

    Joined:
    Yesterday
    Messages:
    3
    Likes Received:
    1
    The "virus" acts as a sort of snippet manager. If you copied & pasted crypto address that matches regex of some mainstream crypto it get's replaced instantly with the "attacker" address. If you haven't sent any crypto with the app running in the background you're safe. Just remove it from computer and login items.

    TLDR: App monitors your clipboard and if it finds crypto address it replaces it with attacker address.

    I don't know if im allowed to paste them here ( hopefully admin can redact this post otherwise) but here they are (attacker addresses), you can check them online:

    bc1qahv0ga0yzat2rtht34whuakgycrav42hycdl86
    0x909a57D971456d4172feAa4463cE76D305a0e2Cf
    rKniNzSKgCZfaLwPtSNLqpVpkLWS1sAuwu
    qr7s3s4dtyd02w4tcjx32k9cqmvwd8g98g30cteeh4
    DN8SXJrQhFjuGi73HSFkYjnjpmy6hduMaq
    XhfW2dBwvzMTyMvNBu3RJPjtgfHtymEbru
    TSuhfaNjQVKTSN5LTduTAmTVJKm6VP9U4z
    xvmpl8n4sx55fhv9xemfa89yr5kl3wcq4dlq36
    2bdyqjng3MdNVvQD9G5DtXdzdLMTFvusUMwXqN2TyK5p
     
    Last edited: Feb 28, 2025 at 11:05 PM
  17. shinyzen

    shinyzen Audiosexual

    Joined:
    Sep 28, 2023
    Messages:
    886
    Likes Received:
    568
    thats crazy. crypto is already robbing me blind in the last couple weeks, and now bad actors are trying to steal whats left of my sad portfolio :rofl:
    I didnt install it, but seesh! may the forever have bad luck!
     
  18. shinyzen

    shinyzen Audiosexual

    Joined:
    Sep 28, 2023
    Messages:
    886
    Likes Received:
    568
    If i read the explorer correctly it looks like this person is staking their ETH with coinbase, which means they are not a very smart criminal. In theory, they could pretty easily be identified and prosecuted if somebody so chose to do so. If you are going to be a cyber criminal, dont stake your coins with the top US centralized exchange. Stake in defi, and use a tumbler, OTC, or monero to exit to fiat.
     
  19. bigpapa23

    bigpapa23 Newbie

    Joined:
    Yesterday
    Messages:
    3
    Likes Received:
    1
    I find it hard to believe that someone who got this "virus" from cracked plugin will report some illegal activity but you never know :rofl:
     
  20. shinyzen

    shinyzen Audiosexual

    Joined:
    Sep 28, 2023
    Messages:
    886
    Likes Received:
    568
    the virus maker could very well be putting this virus elsewhere, but either way, if i lost thousands i would for sure file a report, regardless of how the tracker made its way onto my device.

    "yes officers, here is the proof and screenshots of my transaction, here is the blockchain information of the criminal, here is the specific transaction in which they interacted with coinbase staking, no i do not know how the file made its way onto my computer, i work with a lot of free software and online games, i must have downloaded something by accident"
     
  21. bigpapa23

    bigpapa23 Newbie

    Joined:
    Yesterday
    Messages:
    3
    Likes Received:
    1
    Yea that could work. I mean the whole virus seems like a job of an amateurish "hackerman". No wonder he couldn't even hide with the staking. There's no obfuscation, everything is written black on white. Addresses aren't encrypted in any sort. It almost seems like virus from YouTube video tutorial or GPT prompt.
    Btw, people do rug pulls and get away with it. I think you have a bit too much belief in police. :rofl:
     
    Last edited: Mar 1, 2025 at 12:13 AM
Loading...
Loading...