Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed.
“At first glance, it’s hard to believe that this is actually valid JavaScript,” the Veracode Threat Research team said. “It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work.”
Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server (“firewall[.]tel”).
This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain (“cdn.audiowave[.]org”) and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB (“i.ibb[.]co”).
“[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it,” Veracode said. “It ultimately builds up in memory YET ANOTHER .NET DLL.”
Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user.
The newly-downloaded DLL is Pulsar RAT, a “free, open-source Remote Administration Tool for Windows” and a variant of the Quasar RAT malware.
Honestly, at this point the hacker deserves to empty my bank account.
threaded - newest
What the hell
Honestly, at this point the hacker deserves to empty my bank account.