Dubious offers for YouTube collaboration.
This is not the first time that YouTubers have been targeted by
rainway.cloud: A co-operation offer that should be treated with caution.
The offer from Rainway
First, we receive an email stating that the service would like to work with us. We ask back and receive an offer. It doesn’t sound bad, even for small channels there is a lot of money.
There is also a sample contract, a few supposed screenshots and a link where we can download the software.
The real Rainway
Rainway was a legitimate cloud gaming service that allowed users to stream PC games to other devices. The official website of the service was rainway.com.
Rainway was particularly popular for its ease of use and the ability to play games without additional hardware on smartphones, tablets or even in a web browser.
The service was actively developed for several years until it was finally discontinued. Unfortunately, fraudsters are using the well-known name to spread malware with fake cooperation offers. Special care should therefore be taken when dubious emails or websites with the name “Rainway” appear.
The download
Let’s take a closer look. There is not much more than the download on the website, which is very suspicious.
As download there is a ZIP file, which we unpack. An installer comes to the fore, which we throw into VirusTotal.
After all, 5 virus scanners recognise it as suspicious. Not much when you consider that your own scanner will usually not be there when you start the thing.
We run the installer in a virtual machine
We are a little curious and start the installer. In a secure virtual machine environment, of course.
Windows warns us about a missing certificate right at startup. This is also highly suspicious.
The installer itself is then unsuspicious. Something is being installed.
However, only an error message appears at the start. Something is not working, we can continue, but only an empty window appears.
Analysis of files
We don’t find anything suspicious in the programme directory. Some files are signed, sometimes by Rainway, sometimes by AOMEI. We have a slight suspicion that an existing setup was used here to provide a good disguise.
