Post AsVQl7155ZFwowuiFE by dr_barnowl@topspicy.social
(DIR) More posts by dr_barnowl@topspicy.social
(DIR) Post #AsUUINXVfgeBKvYg2S by foone@digipres.club
2025-03-27T20:16:29Z
1 likes, 0 repeats
on a day with no ADHD meds, my roommate knocks on the door and is like "a friend got their discord hacked but before I knew it they sent me an EXE and I ran it. am I hacked?"
(DIR) Post #AsUURvDRpgM6O8j0xU by ozzelot@mstdn.social
2025-03-27T20:18:16Z
0 likes, 0 repeats
@foone Is that friend a metaphor for lack of ADHD meds?
(DIR) Post #AsUUW39kFjVKAmxfjE by foone@digipres.club
2025-03-27T20:19:05Z
0 likes, 0 repeats
I am some kind of reverse engineer/security engineer but I'm not very good at it WHEN MY BRAIN DOESN'T WORK
(DIR) Post #AsUUcpYPDwms0tjITg by johnefrancis@cosocial.ca
2025-03-27T20:20:03Z
0 likes, 0 repeats
@foone 🚨 🚨 🚨
(DIR) Post #AsUVAVYG6BK3p5if8S by ozzelot@mstdn.social
2025-03-27T20:18:44Z
0 likes, 0 repeats
@foone I meant the roommate, but I shan't rewrite history
(DIR) Post #AsUVAWIhJWTA97RkWG by m0xEE@nosh0b10.m0xee.net
2025-03-27T20:24:03Z
0 likes, 0 repeats
@foone@digipres.club @ozzelot@mstdn.socialEditing the posts is against the rules ☝Except for fixing broken links 🤭
(DIR) Post #AsUVbpM6Zm973x3sNU by pseudonym@mastodon.online
2025-03-27T20:31:15Z
0 likes, 0 repeats
@foone Statistically, yes.
(DIR) Post #AsUVef5tBVkc6cpPXM by foone@digipres.club
2025-03-27T20:31:48Z
0 likes, 0 repeats
seems it is an electron based javascript malware that tries to steal all your passwords from all your browsers
(DIR) Post #AsUVmspXzriD1d6Ys4 by jbaggs@infosec.exchange
2025-03-27T20:33:20Z
0 likes, 0 repeats
@foone Competing today in the bad timing Olympics...
(DIR) Post #AsUVpL53vyRFDlX69o by foone@digipres.club
2025-03-27T20:33:39Z
0 likes, 0 repeats
huh, one of the things it does is check your RAM speed. I think because that's a thing real computers have, and it's trying to do a roundabout VM check?
(DIR) Post #AsUVvWtIw7CPaUz88u by otte_homan@theblower.au
2025-03-27T20:34:52Z
0 likes, 0 repeats
@foone good vibes.
(DIR) Post #AsUW7FcQymfvUhgQHQ by foone@digipres.club
2025-03-27T20:36:59Z
0 likes, 0 repeats
but yeah it does a bunch of checks to see if anything remotely debuggy or VMy is running or even installed, then refuses to do stuff
(DIR) Post #AsUWDjihycYUaZi6s4 by foone@digipres.club
2025-03-27T20:38:10Z
1 likes, 0 repeats
it even checks against OllyDbg, a really great debugger that hasn't updated in 11 years
(DIR) Post #AsUWRlIYuCZzXQAVu4 by ozzelot@mstdn.social
2025-03-27T20:38:09Z
1 likes, 0 repeats
@m0xEE @foone Editing the posts breaks the mindmaps of those who'd already seen them
(DIR) Post #AsUWSH7gaAtSExKHOS by foone@digipres.club
2025-03-27T20:40:39Z
0 likes, 0 repeats
@imtired it makes it look like a regular application, so anti-viruses can't easily block it
(DIR) Post #AsUWXFOgQVUwKreCeG by foone@digipres.club
2025-03-27T20:41:41Z
0 likes, 0 repeats
I'm looking at this disassembly from dez_ on twitter. https://gist.github.com/joe-desimone/64b3c1044c184ffc8f26090d7bcd32b5
(DIR) Post #AsUWeiNz2t2qGlsgL2 by foone@digipres.club
2025-03-27T20:43:03Z
0 likes, 0 repeats
there's a lot of very specific checks before it tries to do anything, I think this has been carefully designed to appear innocuous to the commonly used online sandboxes. like, it detects if it's running on virustotal and throws an error, instead of doing anything sneaky-deaky
(DIR) Post #AsUWhfYG2WzyLd5yG8 by adrake@sfba.social
2025-03-27T20:43:12Z
1 likes, 0 repeats
@foone Electron-based malware... gonna need to sit down for a minute.I guess when everything you install is yet another bespoke copy of Electron hogging all of your resources, one more copy of Electron could be a reasonable way to blend in.I do kind of love the prospect that even malware developers are too cheap to bother with native platform development these days.
(DIR) Post #AsUX6BFLql25b9wKoq by foone@digipres.club
2025-03-27T20:48:00Z
0 likes, 0 repeats
yes let me accidentally try to unpack the electron app in poland, that's exactly the kind of protection I need: geographic protection
(DIR) Post #AsUXAFfHMhVSSY0bDc by foone@digipres.club
2025-03-27T20:48:31Z
1 likes, 0 repeats
god I bet there are some malware out there that checks your location on GPS before running, and errors out if you're too close to Known Antivirus companies
(DIR) Post #AsUXDSwATWG4UYROfg by azonenberg@ioc.exchange
2025-03-27T20:49:08Z
0 likes, 0 repeats
@foone so what you're saying is I'm safe because i run my discord client in a VM? :p
(DIR) Post #AsUXMPLVCHhTxYYS4e by foone@digipres.club
2025-03-27T20:50:58Z
1 likes, 0 repeats
sure there's work-from-home, but you're probably still within a reasonable driving distance of the office. they could just blacklist the entire metropolitan area
(DIR) Post #AsUXWxXUvBtIu9CGZM by drsbaitso@infosec.exchange
2025-03-27T20:52:49Z
0 likes, 0 repeats
@foone Close enough (hah) to remind me of the chatter a few years back about ransomware that wouldn't infect if you have a Russian virtual keyboard installed.(I suspect there are more keyboards on PCs than GPSes on PCs)
(DIR) Post #AsUXtmaxmGQncehVvE by foone@digipres.club
2025-03-27T20:56:58Z
0 likes, 0 repeats
OH GOOD this is a different version that uses aes compression. so the source isn't just obfuscated, it's actually encrypted.
(DIR) Post #AsUXzma6k2mbJjA5Ee by foone@digipres.club
2025-03-27T20:58:04Z
0 likes, 0 repeats
@azonenberg well, it'll steal your discord password from the VM, but yeah
(DIR) Post #AsUY7YgqH0Z8YC1GeO by azonenberg@ioc.exchange
2025-03-27T20:59:27Z
0 likes, 0 repeats
@foone Well that's the question, is it going to even try to steal anything in the VM or is it going to be like "nope i'm being analyzed" and shut down?
(DIR) Post #AsUYI1QeHIEkZuR00u by foone@digipres.club
2025-03-27T21:01:22Z
0 likes, 0 repeats
@azonenberg oh yeah. no it'll probably do nothing
(DIR) Post #AsUZAhUm5joegORA5w by foone@digipres.club
2025-03-27T21:11:13Z
0 likes, 0 repeats
I hope these fuckers aren't trying to obfuscate the password by abusing javascript scoping
(DIR) Post #AsUZDmbnXLvHPUBy3k by foone@digipres.club
2025-03-27T21:11:22Z
0 likes, 0 repeats
my head already hurts enough as it is
(DIR) Post #AsUZGh08qELet6xwzg by nabijaczleweli@101010.pl
2025-03-27T21:11:59Z
0 likes, 0 repeats
@foone IT security model: forced relocation to kraków
(DIR) Post #AsUZgIp3MP2ZQZzWBE by foone@digipres.club
2025-03-27T21:16:58Z
1 likes, 0 repeats
finally unencrypted and re-deobfuscated.and it's got debugging strings in Turkish!
(DIR) Post #AsUZo5C5ujrpTcTj0q by foone@digipres.club
2025-03-27T21:18:22Z
0 likes, 0 repeats
awfully lot of debugging information printed to console.log by this malware. it really tells you everything it is doing
(DIR) Post #AsUa2hz0UjK1pgKa2K by foone@digipres.club
2025-03-27T21:20:50Z
0 likes, 0 repeats
@xssfox x64dbg is quite good, and feels like a modernized successor to ollydbg in a lot of ways
(DIR) Post #AsUa5fsImzHwAAbp8C by foone@digipres.club
2025-03-27T21:21:30Z
0 likes, 0 repeats
other debug strings are in portuguese!? this is a very international bit of malware
(DIR) Post #AsUal4CZFOAfU5pEy8 by foone@digipres.club
2025-03-27T21:29:02Z
1 likes, 0 repeats
so it also checks your GPU. You know, because VMs usually have a GPU like "VMware SVGA 3D"
(DIR) Post #AsUbIC6YstolYGoRm4 by foone@digipres.club
2025-03-27T21:34:58Z
0 likes, 0 repeats
@jeremy_list welcome to DRM
(DIR) Post #AsUbN1xO2ejXWgpM7k by foone@digipres.club
2025-03-27T21:35:50Z
1 likes, 0 repeats
so this seems to be associated with leetb.iwannaeatcats[.com]it sends them the data after it steals it. usually suspects: all the passwords out of your browsers, discord & telegram, minecraft & roblox, & any wallet
(DIR) Post #AsUbQjOF0zHZ6I9XH6 by foone@digipres.club
2025-03-27T21:36:21Z
0 likes, 0 repeats
and Growtopia. I didn't know that game existed, but apparently there's malware out there trying to steal your passwords for it
(DIR) Post #AsUbUd7cGHmAooEfxY by foone@digipres.club
2025-03-27T21:37:13Z
1 likes, 0 repeats
@xssfox that's one of the reasons I mainly hack games from the 90s. They don't change, even as the decades do
(DIR) Post #AsUbeEyKu8UAocTgEy by spinach@girlcock.club
2025-03-27T21:38:52Z
0 likes, 0 repeats
@foone the Volkswagen solution
(DIR) Post #AsUbynVMDrt7hxj2aO by foone@digipres.club
2025-03-27T21:42:42Z
0 likes, 0 repeats
ahh, naturally the C&C server is cloudflare.
(DIR) Post #AsUc1MKXiGiEISt9Iu by foone@digipres.club
2025-03-27T21:43:05Z
1 likes, 0 repeats
whenever you find the worst pits of the internet, you will find cloudflare there, quietly making money off it.
(DIR) Post #AsUc6hdnuLnHq3RhmS by silvermoon82@wandering.shop
2025-03-27T21:43:25Z
0 likes, 0 repeats
@foone The C is for Cloudflare.
(DIR) Post #AsUc8ywoX7mQ5qQNUG by foone@digipres.club
2025-03-27T21:44:35Z
1 likes, 1 repeats
it also fails to run if you have less than 2gb of RAM.because what regular computer would have less than 2gb of ram in 2025? No one but a VM, that's who
(DIR) Post #AsUcBpn12U72YiCYHw by wegegeld@toot.berlin
2025-03-27T21:45:00Z
0 likes, 0 repeats
@foone There was a time, I did everything to stay away from dirty work. Today I can watch with rising enthusiasm other people doing it. Thank you!
(DIR) Post #AsUcJuyhdG98y2WSYq by foone@digipres.club
2025-03-27T21:46:32Z
0 likes, 0 repeats
it also refuses to run if your external IP is one of a couple, which include a hungarian ISP, a couple IPs in moscow, and azure
(DIR) Post #AsUcNl0MectJC789C4 by azonenberg@ioc.exchange
2025-03-27T21:47:12Z
1 likes, 0 repeats
@foone no that's not why.it's because the malware is written in electron and if you have <2GB it won't be able to steal your passwords before it ooms
(DIR) Post #AsUcQInNzaOGZcH0ts by foone@digipres.club
2025-03-27T21:47:33Z
0 likes, 0 repeats
@azonenberg good point
(DIR) Post #AsUcY57aiSwsTrQxJQ by foone@digipres.club
2025-03-27T21:49:06Z
0 likes, 0 repeats
it is also apparently dumping these stolen passwords into a discord somewhere, and if it steals your wallet password it dumps it with "🤡 Leet Stealer" even the bad guys think you're a clown for using cryptocurrency
(DIR) Post #AsUdBTfjN5FbuuBhYm by foone@digipres.club
2025-03-27T21:56:10Z
1 likes, 0 repeats
they distribute some of the malware through NPM, fun!
(DIR) Post #AsUdRwx4HImNML9Spk by foone@digipres.club
2025-03-27T21:59:10Z
1 likes, 0 repeats
It's a npm package with no actual source that does anything, but there's a prebuild file that is an exe containing malware
(DIR) Post #AsUdUfti8pVjKrsfZ2 by foone@digipres.club
2025-03-27T21:59:40Z
0 likes, 0 repeats
And the electron malware dropped an exe malware. Yay
(DIR) Post #AsUda7Y6lF42XkNBom by foone@digipres.club
2025-03-27T22:00:39Z
1 likes, 0 repeats
I'm gonna leave this to the kind of security researchers who get paid for this, and go help my roommate reinstall her PC and change all her passwords
(DIR) Post #AsUdg5bmtBr4GIwLvE by ozzelot@mstdn.social
2025-03-27T21:42:11Z
1 likes, 0 repeats
@m0xEE @foone (Just like cleaning up labs too much breaks the mindmaps of those who actually try to do good work in them, much to the chagrin of those just trying to clean them; and no, talks of cosmic chaos shockingly do not help)
(DIR) Post #AsUejJEYmq9JLLAuAK by ryanc@infosec.exchange
2025-03-27T22:13:29Z
0 likes, 0 repeats
@foone I have run into malware that has server-side checks before the second stage would download and it blocked a couple major metropolitan areas and allow listed residential ISPs. Ended up buying a sacrificial laptop to infect.
(DIR) Post #AsUepnWB6V6T0OVeRE by stepan@f.cz
2025-03-27T22:14:20Z
0 likes, 0 repeats
@foone I love this idea of antivirus companies casting an invisible antivirus shield around them.
(DIR) Post #AsUesQvJZB3tnYWWkS by foone@digipres.club
2025-03-27T22:14:55Z
0 likes, 1 repeats
So it's packaged like this:rar inside a rar (both passworded)containing an NSIS installerwhich drops and runs a copy of electron.the electron code is obfuscated, and encrypted. it decrypts itself on run. the encrypted code is also obfuscated.that JS code does most of the password stealing, but it drops an EXE file off the iwannaeatcats.com site, and sets it up to auto-run next boot. it also grabs the NPM package, for unknown reasons
(DIR) Post #AsUfFcrTLaQHU3mlP6 by foone@digipres.club
2025-03-27T22:19:22Z
0 likes, 1 repeats
anyone an actual security researcher who knows how (and with what authority) to yell at NPM to get this taken down?https://www.npmjs.com/package/ilovingcats
(DIR) Post #AsUfXfcbp6QLG0RC5o by Hiro@loutre.info
2025-03-27T22:22:32Z
0 likes, 0 repeats
@foone I never quite looked at malware stuff like that, your thread was very interesting!
(DIR) Post #AsUg2GTfMJR0FbqL1U by BustaMarx@corteximplant.com
2025-03-27T22:28:06Z
0 likes, 0 repeats
@foone Cloudflare, the selling-to-both-sides-arms-dealers of the internet.
(DIR) Post #AsUg8JDK68BETW5572 by pseudonym@mastodon.online
2025-03-27T22:29:12Z
0 likes, 0 repeats
@foone I18N made it to the malware writers.
(DIR) Post #AsUgPUHkBjWLjdL9MW by Sunseille@shelter.moe
2025-03-27T22:32:18Z
0 likes, 0 repeats
@foone ooh i know about this game,well i remember the ost being crap.
(DIR) Post #AsUgV4cGXPWVrTbQO0 by pseudonym@mastodon.online
2025-03-27T22:33:21Z
0 likes, 0 repeats
@foone Absolutely brilliant thread, as always. Thank you for letting us ride along.
(DIR) Post #AsUgatSqufUf0oyVKi by AlesandroOrtiz@infosec.exchange
2025-03-27T22:34:19Z
0 likes, 0 repeats
@foone Can you upload all the exe's you have to virustotal? Might help get those flagged by Windows Defender and others.
(DIR) Post #AsUirDBHZgpKhhfJoG by futurebird@sauropods.win
2025-03-27T23:00:04Z
0 likes, 0 repeats
@foone Malware in electron? shocking! but props for finding this.
(DIR) Post #AsUj4iVQQ9GncYWiuW by Taco_lad@aus.social
2025-03-27T23:02:09Z
0 likes, 0 repeats
@foone this is incredible to watch."I'm not a paid security researcher" *proceeds to apply absolutely leet skills of a digital archivist and retro-computing reverse engineer to pull apart the malware in short order*- you could he a paid security researcher, that was phenomenal to watch!💯💯💯
(DIR) Post #AsUjytNjAheNZIiFyS by foone@digipres.club
2025-03-27T23:12:22Z
0 likes, 0 repeats
@AlesandroOrtiz already did
(DIR) Post #AsUkLvyzfPx6IP8BJg by itsalrightiguess@mastodon.world
2025-03-27T23:16:26Z
0 likes, 0 repeats
@foone help an uninformed person out, does visiting that page install malware?
(DIR) Post #AsUl2LRbONwTQRjePA by foone@digipres.club
2025-03-27T23:24:12Z
0 likes, 0 repeats
@itsalrightiguess no, it should be fine. if you downloaded the module and ran the pre-built module, it might do some malware stuff though
(DIR) Post #AsUlAC2yDObcb4xM7k by itsalrightiguess@mastodon.world
2025-03-27T23:25:33Z
0 likes, 0 repeats
@foone ok thanks
(DIR) Post #AsUldD6jLnY2HhYGFU by foone@digipres.club
2025-03-27T23:30:42Z
0 likes, 0 repeats
@abussh mine seems to be based around iwannaeatcats[.]com but I think this is a wildly reused password stealer. it's easy enough to reverse engineer and reuse it
(DIR) Post #AsVIDGXlFZMvtoQny4 by jasper@beige.party
2025-03-28T05:35:48Z
0 likes, 0 repeats
@foone possibly to game download numbers for the package. Make it look more legit in order to use it in another attack vector.
(DIR) Post #AsVIXtZPrLeUjK2gcK by skyr@chaos.social
2025-03-28T05:39:33Z
0 likes, 0 repeats
@foone after the first post, I initially assumed that it was your roommate who missed his meds 😂
(DIR) Post #AsVKscr4FXYlMluLZ2 by musevg@hostux.social
2025-03-28T06:05:41Z
0 likes, 0 repeats
@foone So *THIS* is how your brain works in bad mode? Kudos. That's amazing. Thanks for taking us on this ride through the analysis!
(DIR) Post #AsVQl7155ZFwowuiFE by dr_barnowl@topspicy.social
2025-03-28T07:11:34Z
0 likes, 0 repeats
@foone There are a lot that check your keyboard layouts and fail if you have a Russian one installed because they don't want the heat from a jurisdiction that can actually arrest them.
(DIR) Post #AsVdgeQAlKE6NbqxFY by bongoknight@ioc.exchange
2025-03-28T09:36:29Z
0 likes, 0 repeats
@foone Right after reading this I stumbled across the GitHub, the world is small!https://github.com/advisories/GHSA-3w65-8455-m3v5
(DIR) Post #AsVifedixoPmXTXIAa by irgendwr@chaos.social
2025-03-28T10:32:16Z
0 likes, 0 repeats
@foone the "report malware" button/contact form seems to be effective. (even for me, who is not an "actual security researcher" ^^)
(DIR) Post #AsVsNcWP6CdeIb9RLs by foone@digipres.club
2025-03-28T12:21:06Z
0 likes, 0 repeats
@irgendwr cool!
(DIR) Post #AsW0PIigUaYb64CwNc by p4@masto.ai
2025-03-28T13:51:05Z
0 likes, 0 repeats
@foone looks like the yelling worked, it's now replaced with the npm security holder.