Mac Css Hack

by



Often it is a simple fix or a missing semicolon. With CSS it is usually that or a problem of which order the code is listed in the style sheets, if not just CSS errors. Please do test the hacks here on the test site. If it works there, that means the hack really is working for your setup, but it is something else that needs to be resolved.

(Photo source: Pony Strike: Global Offense by FilipinoNinja95)

We recently found Counter-Strike: Global Offensive (CS: Go) hacks on macOS that is also a trojan that could mine CryptoCurrencies without user consent.

According to VirusTotal Retrohunt, the threat is in the wild since the beginning of July 2017.

  • MAC-10 Skin Mods for Counter-Strike: Source (CS:S) Browsing history matches: Login Login Not a member yet? Become one today and start sharing your creations!
  • In Mac, if you already installed an anti-virus then this the best thing you've done to secure notebook. To find out if your mac address has been hacked. You can easily check it out by scanning your Mac. Usually, Mac users have to scan its system regularly to know if check anything usual such as the trojan virus.

Warning: At the time of this writing, all URLs are live.

Entry Point: Vlone.cc Portal

The entry point is vlone.cc portal, where a user can Register, Login and Download for free the hack installer.

The domain name was registered through eNom in April 2017, 14th, and resolves to a shared web host at namecheap:

HTTPS certificate was delivered by COMODO PositiveSSL in June 2017, 27th.

When logged in, members can browse the Prices page and purchase a premium subscription for 1, 3 or 6 months through Selly:

Members download the same archive of the free installer than guests:

According to the user GET query value, members count in August 2017, 22nd, is nearly two thousand.

We don’t know if the private installer of the hack also installs the mining software without user consent.

Binaries analysis

It’s all C++ Standard Library code. Network connections use libcurl and secure HTTPS protocol.

All executables, but the miner CLI, require super-user privileges, so the user must run the installer with sudo:

The main binary hides itself as Dynamic Web TWAIN, an online document scanning platform.

vHook

vHook is the installer. It is packed with UPX, probably to avoid user analysis and bypass some security products.

It is a command line interface:

With a valid member account, it downloads and extracts bootstrap.dylib and vhook.dylib from https://vlone.cc/portal/gateway.php as assets.zip to /Library/Application Support/:

It loads bootstrap.dylib from osxinj project. If Counter-Strike: Global Offensive is running, it downloads and extracts some fonts (https://vlone.cc/fontfix.zip as vlone.zip to /Library/Fonts/), and injects vhook.dylib into csgo_osx64 process.

It could be a perfect deal for a CS: GO user, but it turns out vHook also sneaky downloads and extracts https://vlone.cc/abc/assets/asset.zip as fonts.zip to /var/, changes directory to /var and runs sudo ./helper &.

It then kills Terminal application to hide the detached process output.

helper

Mac Css Hack

helper is the miner downloader dropper. It is also packed with UPX.

It first asks the C&C server for the name of the binary to execute upon download:

It downloads https://www.vlone.cc/abc/assets/b.zip as /b.zip, extracts its contents to /var/.log/, changes directory to /var/.log/ and runs sudo ./com.dynamsoft.WebHelper &.

At the time of this writing, https://www.vlone.cc/abc/assets/b.zip URL response is a File Not Found 404 error code, but https://www.vlone.cc/abc/assets/bz.zip URL is live and send the expected archive.

com.dynamsoft.WebHelper

com.dynamsoft.WebHelper is the miner downloader. Despite the name, it is not related to Dynamsoft.

It starts by downloading and extracting:

  • WebTwainService from https://www.vlone.cc/abc/assets/d.zip to /var/.log/
  • com.dynamsoft.WebTwainService.plist from https://www.vlone.cc/abc/assets/p.zip to /Library/LaunchDaemons/

It loads the daemon, sends computer unique identifier (UUID) and its version to C&C server, and checks if it meetsRequirements(), i.e. running as root and not in a debugger:

It then sleeps for one hour. If one is in a hurry, he or she can cut out the nap easily:

Once rested, it sends commands to C&C server every minute to ask if it should mine and update or kill itself:

Every minute, it also creates or updates the mining thread to:

  • download and extract https://www.vlone.cc/abc/assets/helper.zip to /var/.trash/.assets/
  • get miner settings (maximum core number, currency, email address)
  • check if Activity Monitor is running
  • check if it is already mining
  • check if it should stop mining
  • run cd /var/.trash/.assets/; ./com.apple.SafariHelper with appropriate arguments

WebTwainService

WebTwainService tries to take care of com.dynamsoft.webhelper persistency. It is again packed with UPX.

It sets its current directory to /var/.log and runs sudo ./com.dynamsoft.webhelper &, then recursively sleeps for one hour…

minergate-cli

com.apple.SafariHelper actually is the official MinerGateCLI v4.04:

It is written in Qt, so it comes with frameworks:

It takes as CPU as requested by com.dynamsoft.WebHelper so the user enjoys the delight of computer’s fans background music:

In this example, it is mining Monero (XMR) with all virtual machine cores (two: 200.0%).

Current MinerGate email address is pwnedboi@protonmail.com, and xxanax420@gmail.com email address was also found hardcoded in another sample.

Maximum core number, CryptoCurrency and email address are provided by com.dynamsoft.WebHelper and the C&C server:

vLoader

We finally ended up with vLoader, the private installer, and, once more, it is packed with UPX.

It does many checks against the C&C server:

They are trivial to bypass for anyone who can force a conditional jump:

Private payloads are downloaded and extracted to /var/.old/:

  • boots.dylib from http://vlone.cc/clear/sadmio.zip
  • .uhdexter.dylib from http://vlone.cc/clear/getout.zip

Compared to the free injected library, the private hook is very similar:

vLoader doesn’t uninstall any of the free version naughty payloads.

Finn and ponies

We didn’t spend too much time reverse engineering vhook.dylib. The source code was available on GitHub (archive) and videos of the hack are also available on YouTube here and there.

GitHub owner of the vHook project is fetusfinn (original author is ViKiNG) and we coincidentally found debugger symbols matching Finn username in GitHub’s libvHook.dylib and in all analyzed binaries:

This is how we know Finn’s project name is pwnednet. Shortened to pwnet, it sounds like poney in French, i.e. pony in English and, everybody loves ponies, so here you have OSX.Pwnet.A!

There also is a reference to someone named Jennifer Johansson in Xcode user data:

We didn’t take the time to ask pwned’s boyfriend on Discord if Finn is much into ponies:

But, just in case, here is a Dutch Pony for Finn and her team.

From Hackestria with ❤

EDIT: added vLoader on 2017/08/29.

Aimbot, wallhack & speedhack for Counter-Strike Source
Search for css hack
Search our cheat database for css cheatsHack
Virus/spyware free hacks
All cheats are scanned with ESSET NOD32 Antivirus. Scan restults from VirusTotal are also posted.
Worried about getting banned?
Or just want more info about VAC then, read more about Valve Anti Cheat.
Support
Support: CS hack support
Video guide: How to download and install a CS hack

NameVAC Status (?)Date added
SPEED MAN 1537 Public v.2.5
Unknown
Jun 22, 2011
Materials Wallhack v4
Unknown
Jun 11, 2011
NXG CSS V3.0 Public
Detected
Jun 11, 2011
Project-7 v2.8
Detected
May 10, 2011
Project-7 v2.7
Detected
May 9, 2011
iCheat24 Public CSS Simple Wireframe Wallhack
Unknown
May 8, 2011
Project-7 v2.6
Detected
May 8, 2011
Project-7 v2.5
Detected
Apr 15, 2011
Machook Public Alpha 1
Unknown
Mar 31, 2011
Project 7 v2.3
Detected
Feb 21, 2011

<<<123456>>>

SPEED MAN 1537 Public v.2.5

Released: Jun 22, 2011 - Unknown
Features:
- Aimbot
Aim Bot
Aim Spot
Aim Type
Aim FOV
Aim Silent
Aim AutoWall
Aim X
Aim Y
Aim Z
- ESP
ESP Name
ESP Health
ESP Box
ESP Skeleton
ESP Laser
ESP Hitbox
ESP Steam ID
- Removals
No Spread
No Recoil
No Visual Recoil
- Visuals
Vis Crosshair
Vis Color Models
Vis Glow Models
Vis Radar
- Misc
Bunnyhop
Autopistol
AntiAim
Roundsay
Buybot
Menu X
Menu Y
Download SPEED MAN 1537 Public v.2.5
Downloaded 56.786 times

Materials Wallhack v4

Released: Jun 11, 2011 - Unknown
Features:
No Sky
No Hand
Wall Hack
Color Models
All Maps Transparent
Download Materials Wallhack v4
Downloaded 107.868 times

Mac Css Hacks

NXG CSS V3.0 Public

Released: Jun 11, 2011 - Detected

Mac Shack Uk

Features:
Chams (Only 1 option for public)
Crosshair
Hands (Chamed, Wireframe, or Removed)
FullBright (Fullbright Models)
No Fog (Fog Removed)
Info Box (Displays Settings)
Weapon Chams (Chamed, Wireframe, or Removed)
WireFrame Chams (1 Color For Public)
XQZ Wallhack
Remove Smoke
Sniper Overlay
Help Box
Move Menu
Move Stats
Save Options
Load Options
Download NXG CSS V3.0 Public
Downloaded 16.012 times

Features:
Aimbot
- Aimkey
- FOV
- AutoFire
- Hitbox
- Hitbox Adjust
- Auto wall
- Lag Prediction
- Silent Aim
ESP
- Box
- Nametag
- Health
- Head
- Wallhack
- Line ESP
UI
- Show notifications
Accuracy
- No Spread
- No Vis Recoil
- No Recoil
Miscellaneous
- AutoPistol
- Bunnyhop
- No Flash
- Speedhack (Press E)
Anti Aim
- X
- Y
- Z
P7
Download Project-7 v2.8
Downloaded 42.297 times

Features:
Aimbot
- Aimkey
- FOV
- AutoFire
- Hitbox
- Hitbox Adjust
- Auto wall
- Lag Prediction
- Silent Aim
ESP
- Box
- Nametag
- Health
- Head
- Wallhack
- Line ESP
UI
- Show notifications
Accuracy
- No Spread
- No Vis Recoil
- No Recoil
Miscellaneous
- AutoPistol
- Bunnyhop
- No Flash
- Speedhack (Press E)
Anti Aim
- X
- Y
- Z
Download Project-7 v2.7
Downloaded 6.956 times

iCheat24 Public CSS Simple Wireframe Wallhack

Released: May 8, 2011 - Unknown
Features:
- WireFrame WallHack
- SvCheats ByPass
- FPS Display
- Net Display
Download iCheat24 Public CSS Simple Wireframe Wallhack
Downloaded 20.999 times

Features:
Aimbot
- Aimkey
- FOV
- AutoFire
- Hitbox
- Hitbox Adjust
- Auto wall
- Lag Prediction
- Silent Aim
ESP
- Box
- Nametag
- Health
- Head
- Wallhack
- Line ESP
UI
- Show notifications
Accuracy
- No Spread
- No Vis Recoil
- No Recoil
Miscellaneous
- AutoPistol
- Bunnyhop
- No Flash
- Speedhack (Press E)
Anti Aim
P7
Download Project-7 v2.6
Downloaded 6.126 times

Features:
Aimbot
- Aimkey
- FOV
- AutoFire
- Hitbox
- Hitbox Adjust
- Auto wall
- Lag Prediction
- Silent Aim
ESP
- Box
- Nametag
- Health
- Head
- Wallhack
- Line ESP
UI
- Show notifications
Accuracy
- No Spread
- No Vis Recoil
- No Recoil
Miscellaneous
- AutoPistol
- Bunnyhop
- No Flash
- Speedhack (Press E)
Anti Aim
- X
- Y
- Z
P7
Download Project-7 v2.5
Downloaded 25.938 times

Machook Public Alpha 1

Released: Mar 31, 2011 - Unknown
Features:
Multi cheat for Mac OS X
ESP hack
Wallhack
More..
Download Machook Public Alpha 1
Downloaded 17.756 times

Features
Aimbot
- Aimkey
- FOV
- AutoFire
- Hitbox
- Hitbox Adjust
- Auto wall
- Lag Prediction
ESP
- Box
- Nametag
- Health
- Head
- Wallhack
- Line ESP
UI
- Show notifications
Accuracy
- No Spread
- No Vis Recoil
- No Recoil
Miscellaneous
- AutoPistol
- Bunnyhop
- No Flash
- Speedhack (Press E)
Anti Aim
- X
- Y
- Z
Download Project 7 v2.3
Downloaded 39.847 times

<<<123456>>>
Free VAC proof hacks for Counter-Strike og Counter-Strike Source - Gratis Vac proof cheats til CS and CS:Source!
Remember, when you download cheats & hacks from Tobys CS, you agree not to use them on VAC secured servers. It is against Valves policy, and you risk getting your Steam account permanently banned from all VAC secured servers.
It is at your own risk to use any of the cheats & hacks from Tobys.dk. We take no responsibility of any harm it may cause, or if you get banned.
Follow us on Facebook

Subscribe to YouTube

Games

Links