Conversation

Notices

1. Embed this notice
   Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:10 JST Foone🏳️‍⚧️

   on a day with no ADHD meds, my roommate knocks on the door and is like "a friend got their discord hacked but before I knew it they sent me an EXE and I ran it. am I hacked?"

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:00 JST Foone🏳️‍⚧️

     in reply to

     awfully lot of debugging information printed to console.log by this malware. it really tells you everything it is doing

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:01 JST Foone🏳️‍⚧️

     in reply to

     my head already hurts enough as it is

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:01 JST Foone🏳️‍⚧️

     in reply to

     finally unencrypted and re-deobfuscated.

     and it's got debugging strings in Turkish!

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:02 JST Foone🏳️‍⚧️

     in reply to

     I hope these fuckers aren't trying to obfuscate the password by abusing javascript scoping

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:03 JST Foone🏳️‍⚧️

     in reply to

     sure there's work-from-home, but you're probably still within a reasonable driving distance of the office. they could just blacklist the entire metropolitan area

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:03 JST Foone🏳️‍⚧️

     in reply to

     OH GOOD this is a different version that uses aes compression. so the source isn't just obfuscated, it's actually encrypted.

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:04 JST Foone🏳️‍⚧️

     in reply to

     god I bet there are some malware out there that checks your location on GPS before running, and errors out if you're too close to Known Antivirus companies

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:05 JST Foone🏳️‍⚧️

     in reply to

     there's a lot of very specific checks before it tries to do anything, I think this has been carefully designed to appear innocuous to the commonly used online sandboxes. like, it detects if it's running on virustotal and throws an error, instead of doing anything sneaky-deaky

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:05 JST Foone🏳️‍⚧️

     in reply to

     yes let me accidentally try to unpack the electron app in poland, that's exactly the kind of protection I need: geographic protection

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:06 JST Foone🏳️‍⚧️

     in reply to

     I'm looking at this disassembly from dez_ on twitter.

     https://gist.github.com/joe-desimone/64b3c1044c184ffc8f26090d7bcd32b5

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:07 JST Foone🏳️‍⚧️

     in reply to

     but yeah it does a bunch of checks to see if anything remotely debuggy or VMy is running or even installed, then refuses to do stuff

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:07 JST Foone🏳️‍⚧️

     in reply to

     it even checks against OllyDbg, a really great debugger that hasn't updated in 11 years

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:08 JST Foone🏳️‍⚧️

     in reply to

     huh, one of the things it does is check your RAM speed.

     I think because that's a thing real computers have, and it's trying to do a roundabout VM check?

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:09 JST Foone🏳️‍⚧️

     in reply to

     I am some kind of reverse engineer/security engineer but I'm not very good at it WHEN MY BRAIN DOESN'T WORK

   • Embed this notice
     Foone🏳️‍⚧️ (foone@digipres.club)'s status on Friday, 28-Mar-2025 06:57:09 JST Foone🏳️‍⚧️

     in reply to

     seems it is an electron based javascript malware that tries to steal all your passwords from all your browsers

   • Embed this notice
     Andrew Drake (adrake@sfba.social)'s status on Friday, 28-Mar-2025 06:59:41 JST Andrew Drake

     in reply to

     @foone Electron-based malware... gonna need to sit down for a minute.

     I guess when everything you install is yet another bespoke copy of Electron hogging all of your resources, one more copy of Electron could be a reasonable way to blend in.

     I do kind of love the prospect that even malware developers are too cheap to bother with native platform development these days.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 28-Mar-2025 07:13:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     @foone I have run into malware that has server-side checks before the second stage would download and it blocked a couple major metropolitan areas and allow listed residential ISPs. Ended up buying a sacrificial laptop to infect.