oblivion96

joined 2 months ago

PSA: If you installed and launched/ran Cemu (WiiU emulation) within the last week you need to check that you have the safe version and did not inadvertently install one of 2 malware versions. (discuss.tchncs.de)

submitted 1 hour ago by oblivion96@discuss.tchncs.de to c/linux@lemmy.ml

1 comments fedilink

https://old.reddit.com/r/cemu/comments/1tbbusq/security_psa_linux_malware_from_cemu_official/

Windows, MacOSX and the Flatpak are unaffected.

The compromised releases are:

Cemu-2.6-x86_64.AppImage

cemu-2.6-ubuntu-22.04-x64.zip

SAFE SHA256 checksum:

Cemu-2.6x86_64.AppImage 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313

cemu-2.6-ubuntu-22.04-x64.zip5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b

Infected SHA256 / Checksums:

sha256: f140e76236b96adf7cdc796227af9808665143bc674debb77729fa3e4b8327cc

sha256: d07a29c4458d00e42d5d9e6345932592e91644d6b821bacdb7a543c628e0b41a

KDE: (Right-click your CemuApp Image -> Properties -> Checksum -> SHA256 button).

If you've run either (f140e or d07a29) to play some games or configure you may want to consider reinstalling your system if you've got any sensitive information, passwords or any of that in use. You're most likely safe if you didn't run the infected releases, but if you've updated and run Cemu recently, you're going to want to make sure you're in the clear, because if you're not then a reinstall may not be the worst idea.

From preliminary analysis it seems that mostly it is trying to spread itself rather than cause direct >damage, it does that by stealing SSH keys, github tokens and a lot of other passwords or keys that >they can then use to infect more packages or software releases.

This is likely also how we got affected. The other Cemu author (MangleSpec/Petergov) ran software >in WSL which was compromised through which they got hold of his github token. At least that is our >leading theory.

HOWEVER if your region is Israel (it detects this via keyboard layout and timezone settings), then it >will have a random chance to wipe your filesystem (subprocess.run(["rm", "-rf", "/*"])) every time you >start the compromised software.

So my immediate advice is this:

Delete the compromised Cemu files (Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip). Note: You are not affected if you downloaded before 6th May. Reset all your passwords, ssh keys and service tokens Block IP 83.142.209.194 just in case. This is hardcoded and used as a remote endpoint

Source: ExZap - https://github.com/cemu-project/Cemu/issues/1911