{"id":67920,"date":"2025-03-02T17:25:24","date_gmt":"2025-03-02T16:25:24","guid":{"rendered":"https:\/\/ekiwi-blog.de\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/"},"modified":"2025-03-02T17:25:24","modified_gmt":"2025-03-02T16:25:24","slug":"rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/","title":{"rendered":"rainway.cloud: A co-operation offer that should be treated with caution."},"content":{"rendered":"<p>Dubious offers for YouTube collaboration.<\/p>\n<p>This is not the first time that YouTubers have been targeted by <a href=\"https:\/\/acapio.de\/posts\/2024-12-29_camtasia_scam\/>phishing and malware attacks<\/a>. The scam often follows the same pattern: the promise of a high commission is used to lure people in, but the supposed contract or software must be downloaded and executed from an external website.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/#The_offer_from_Rainway\" >The offer from Rainway<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/#The_real_Rainway\" >The real Rainway<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/#The_download\" >The download<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/#We_run_the_installer_in_a_virtual_machine\" >We run the installer in a virtual machine<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/67920\/rainwaycloud-a-co-operation-offer-that-should-be-treated-with-caution\/#Analysis_of_files\" >Analysis of files<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"The_offer_from_Rainway\"><\/span>The offer from Rainway<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>First, we receive an email stating that the service would like to work with us. We ask back and receive an offer. It doesn&#8217;t sound bad, even for small channels there is a lot of money.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_1.webp\" alt=\"\" width=\"924\" height=\"780\" class=\"aligncenter size-full wp-image-67902\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_1.webp 924w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_1-300x253.webp 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_1-768x648.webp 768w\" sizes=\"auto, (max-width: 924px) 100vw, 924px\" \/><\/p>\n<p>There is also a sample contract, a few supposed screenshots and a link where we can download the software.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_2.webp\" alt=\"\" width=\"800\" height=\"698\" class=\"aligncenter size-full wp-image-67904\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_2.webp 800w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_2-300x262.webp 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_2-768x670.webp 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_real_Rainway\"><\/span>The real Rainway<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Rainway was a legitimate cloud gaming service that allowed users to stream PC games to other devices. The official website of the service was <a href=\"https:\/\/rainway.com\" target=\"_blank\" rel=\"noopener\">rainway.com<\/a>.<\/p>\n<p>Rainway was particularly popular for its ease of use and the ability to play games without additional hardware on smartphones, tablets or even in a web browser.<br \/>\nThe service was actively developed for several years until it was finally discontinued. Unfortunately, fraudsters are using the well-known name to spread malware with fake cooperation offers. Special care should therefore be taken when dubious emails or websites with the name &#8220;Rainway&#8221; appear.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_download\"><\/span>The download<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let&#8217;s take a closer look. There is not much more than the download on the website, which is very suspicious.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_3.webp\" alt=\"\" width=\"800\" height=\"362\" class=\"aligncenter size-full wp-image-67906\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_3.webp 800w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_3-300x136.webp 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_3-768x348.webp 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>As download there is a ZIP file, which we unpack. An installer comes to the fore, which we throw into <a href=\"https:\/\/ekiwi-blog.de\/22006\/dateien-online-auf-viren-pruefen\/\">VirusTotal<\/a>.<\/p>\n<p>After all, 5 virus scanners recognise it as suspicious. Not much when you consider that your own scanner will usually not be there when you start the thing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_4.webp\" alt=\"\" width=\"1341\" height=\"572\" class=\"aligncenter size-full wp-image-67908\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_4.webp 1341w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_4-300x128.webp 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_4-1024x437.webp 1024w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_4-768x328.webp 768w\" sizes=\"auto, (max-width: 1341px) 100vw, 1341px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"We_run_the_installer_in_a_virtual_machine\"><\/span>We run the installer in a virtual machine<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We are a little curious and start the installer. In a secure virtual machine environment, of course.<\/p>\n<p>Windows warns us about a missing certificate right at startup. This is also highly suspicious.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_5.webp\" alt=\"\" width=\"494\" height=\"458\" class=\"aligncenter size-full wp-image-67910\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_5.webp 494w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_5-300x278.webp 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/p>\n<p>The installer itself is then unsuspicious. Something is being installed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_6.webp\" alt=\"\" width=\"657\" height=\"232\" class=\"aligncenter size-full wp-image-67912\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_6.webp 657w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_6-300x106.webp 300w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/p>\n<p>However, only an error message appears at the start. Something is not working, we can continue, but only an empty window appears.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_7.webp\" alt=\"\" width=\"889\" height=\"779\" class=\"aligncenter size-full wp-image-67914\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_7.webp 889w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_7-300x263.webp 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_7-768x673.webp 768w\" sizes=\"auto, (max-width: 889px) 100vw, 889px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Analysis_of_files\"><\/span>Analysis of files<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We don&#8217;t find anything suspicious in the programme directory. Some files are signed, sometimes by Rainway, sometimes by AOMEI. We have a slight suspicion that an existing setup was used here to provide a good disguise.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_8.webp\" alt=\"\" width=\"641\" height=\"503\" class=\"aligncenter size-full wp-image-67916\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_8.webp 641w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2025\/03\/rainway_8-300x235.webp 300w\" sizes=\"auto, (max-width: 641px) 100vw, 641px\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>Dubious offers for YouTube collaboration. This is not the first time that YouTubers have been targeted by<\/p>\n","protected":false},"author":1,"featured_media":67918,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1601,1590,1602],"class_list":["post-67920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-malware-en","tag-scam","tag-security-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/67920","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=67920"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/67920\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/67918"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=67920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=67920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=67920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}