Hm, the url returns a png. Did he obscure the actual url? Couldn't get it to send me json or js...
Update: found a clone of the repo on github and got the payload, all you have to do is add a header `bearrtoken: logo`
It's obfuscated, I will feed it to qwen to see what can be gleaned.
Same here.
I tried content-types, user-agent, but no luck. I'm not sure what the user-agent of `req` is, but the default `node-fetch/1.0` does make the response json. They are a 307, but the result is a png.
I presume the original payload may have contained information that the hackers want to keep from prying eyes. Esp. now that it landed on HN, it makes sense to take it offline and replace with an actual png to avoid people finding information in it that may harm their future hacks or so?
Got it after adding the header: `bearrtoken: logo`.
Without seeing the request code I initially assumed it would be `Authorization: Bearer logo` that did the trick.
So fed it to qwen. It seems to think it just a downloader and persistence mechanism for another payload. I will try to download it too and see what qwen thinks of that.
thanks for following down the rabbit hole, let us know what you find! also... why qwen?
> why qwen
I have it running locally, and i don't want to add credentials to the vm with the malware.
According to qwen:
It's cross platform
It has a bunch of persistence mechanisms.
It downloads another pack from pub-1fe39d600a4447ba895ef1c848d32e7e.r2.dev, Verified I got the secondary payload
This pack looks like a python 3.10 environment along with an executable called cupsd.
And downloads another js script from http://138.201.125.58:1224/client/99/77
That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
I'm actually curios to know how do you people visit the link securely? I guess a VM but could in theory something be resilient enough to misuse the Shared Clipboard or something to access your host machine?
Also what is your go to OS?
Hm, when I think of it an old Raspberry Pi could be my go to for this, but always physically.